From my understanding of Trezor's architecture the private key never leaves the chip -- the firmware is only able to send messages in and getting signed messages out.
Which is exactly what Ledger said about their secure element. At the end of the day, the hardware, software, and all the architecture is designed and built by a single entity, and if they wanted to extract your private keys, they could. If Trezor's microcontroller was actually impervious to such attacks, then why are they trying to build their own secure element?