What about key derivation. What are the chances that one could derive a seed by taking control of a public master key and something else? I've heard some concerns along the lines about key derivation which is why I just would avoid seed-based wallets altogether and would focus on the classic wallet.dat format but I haven't studied the details, I have just heard conflicting opinions.
If a malicious actor knows the master public key (xpub) and one derived private key (child private key), he is able to derive all private keys (in the same derivation path (if using hardened); without hardened i believe he will be able to derive ALL private keys).
That's the only risk associated with using HD wallets.