I definitely would never recommend this. Buying from an official reseller is the absolute limit of what I consider acceptable, and even then I still have reservations when compared to buying direct from the manufacturer. Buying from a random third party is just asking for trouble. You have absolutely no idea how many people have had their hands on that device or what they might have managed to do to it. Yes, good hardware wallets have built in verification process and cryptographic checks, but for every vulnerability or way to bypass these checks that is found someone has to be the first person to do so.

Probably worth point out that this was only possible because the Trezor device in question was running old firmware which contained a specific vulnerability. This was patched years ago and so this is no longer an issue.