The private keys are kept in a sealed environment known as the Secure Element. The keys only get used when you need to sign transactions to spend coins. For that, you need to physically allow your device to sign the transaction by pressing the two buttons on top of it. No software or third-party can see your keys or broadcast the transaction for you.
Secure element doesn't matter all that much in terms of securing the keys from malware. The purpose it serves is to make it harder for it to be extracted via physical attacks. Malware attacks are mitigated by designing the firmware and bootloader to not arbitrarily communicate sensitive information over the USB. Secure element doesn't ensure this, the MCU does. Secure elements mostly acts as a storage medium.
In certain hardware wallets, the private keys has to be exposed to the MCU for transaction signing as certain security elements are incapable of signing transactions. The environment is still sanitized nonetheless.