There is also an attack called the Evil Maid attack where someone can put a malware onto a device which is something that can be done on hardware wallets especially Ledger since they don't have a tamper proof stick of some kind in their boxes so you would really have to rely on their security features if it can really outsmart any malware being tried to install on these devices. So its really a gamble when buying these devices online maybe buying it directly to their website is a smart choice if you really want it to be directly coming from the manufacturers itself.