Just verify the QR codes. Generate a PSBT using the wallet application (in your example, BlueWallet), decode it and verify that it's just a PSBT.
Then take the signed PSBT QR code from the Passport and do the same.

I am repeating myself, but for maximum paranoia-security, you can read through Passport's firmware codebase, notice that it doesn't add any data except the signed PSBT to the QR code, then build it yourself, add your developer key into the Passport and flash it with your built binary.
This guarantees you that it's not doing anything dodgy.

Keep in mind, the application (BlueWallet) can't really 'leak' anything through the QR code anyway, as you only scan it with the hardware wallet. The hardware wallet always 'knows more' (the seed phrase) than the app, so there's nothing to be leaked in that direction.