You should not trust the usage of the secure chip unless all of the code and firmware is open-source and signed, so that you can verify all of the interactions with the secure chip.
They mentioned in some of their correspondence that Ledger Recover will be open-source, but that changes nothing if you ask me. Let's say the code confirms every word they have said about Ledger Recover, would you be comfortable using it due to its open-source nature? The sharing of private keys with others is a big no-go, and so is the possibility that such a feature is even possible.
It's probably worth pointing out that this is also the case for Trezor devices, which everyone on Reddit seems to be keen to move to. If Trezor implement malicious software, then the same thing will happen.
The same is possible on all other hardware wallets using similar types of secure element chips. Ledger exposed the whole industry, not just their own business model. We now know that SEs can communicate remotely with other servers if the code tells it to. All non-airgapped hardware wallets are no longer offline devices that have a secure and impenetrable storage for private keys.
But can you ever be sure? I wouldn't want my seed phrases to be 1 tick box away from being send to them, and risk they take it anyway.
Of course not. I am just stating what the gentlemen from Ledger said.
Serious question: can you upgrade the firmware without unlocking the device?
You have to enter your unlocking PIN the moment you connect your Ledger to your computer to get it to communicate with Ledger Live. I think the firmware gets updated through the Ledger Device Manager, so you have to open that app as well.