There is no need to access the private keys since all communication (the display output and the key input) takes place through the application processor. A hacked firmware would just send a transcation to the secure element, skip displaying any message and then send the required keypress to the secure element.
Please do correct me if I'm wrong here, but my understanding was that they installed a custom bootloader only. When the Nano S is started in bootloader mode, the secure element does not allow access to it, and it doesn't even boot. To push a transaction to the secure element they would have to start the Nano S in standard mode, which would require the MCU check, which they did not demonstrate being able to bypass.
Again, Rashid did not follow Ledger's Bounty Program, which he himself admits, instead choosing to publicly publish his findings. You can't expect them to pay people who don't follow the requirements for payment.