There are several vectors of possible attack which could occur here:
Ledger was accessed and returned without your knowledge
Mnemonic phrase paper was accessed and returned without your knowledge
You bought a pre-initialized or fake Ledger device
You restored your wallet from the mnemonic phrase at some point - as soon as the phrase is entered in to an electronic device, you should consider it compromised
You used your Ledger paired with fake software, such as the fake versions of Electrum which have been going around, and mistakenly signed a malicious transaction
You say:
Nobody has access to the secret words that set up the device.
When initializing a Ledger, it generates the words for you. Did you use words from elsewhere to set up your Ledger?