Will they still be able to use the seed words in another wallet with the same derivation path, even if they also used a password?
Unfortunately, no!
By recovering the wallet using only the 24 words seed you will get the same
dummy wallet you already have on your HW.
Many confuses the Ledger passphrase with the password other wallets use. The password you define when you create a wallet, for example, with Electrum, only serves to encrypt the wallet file on your device. Therefore, even if you lose it, it is still possible to recover your wallet if you have its seed. The passphrase on the other hand is part of the seed itself and losing it is the same as losing the whole seed.
Your friends only option right now is to try to brute force it.