I'm trying to understand how a Hardware Wallet protects its data when connected to an online computer. If it's compromised one can easily read what's inside the USB. Am I missing something?
The private key is never transferred over the USB. The bootloader doesn't have any codes that would transfer the private key to the computer nor does it need to be exposed that way. The unsigned transaction is transferred through the USB and signed on the device. The private key is always stored within the device in a sanitized environment. As long as the device doesn't send the private key or the seed over the USB, it doesn't matter whatever data is sent to and from the device.