They don't need to. As I pointed out earlier in this thread:
It's not clear yet, but we know they must have the means to decrypt it themselves. You can lose your hardware wallet and your seed phrase, and still recover your wallets on a new device. This means that everything needed to recover your seed phrase (i.e. the shares and their decryption keys) are stored by one or more third parties, since you need to provide absolutely nothing yourself, not even the original device.
If you are able to recover everything to a brand new device, then that means Ledger and their third party buddies are storing everything needed to fully recover your wallet. This means not just the encrypted shards, but the decryption key as well.
To me, this looks very suspicious because you need a communication channel between hardware wallets to transfer a decryption key, which basically means you have to rely on a third-party provider (most likely the entity asking you for documents) to store and send it to you after a successful KYC procedure.
Further, all three of your encrypted shards and their decryption key must first pass from your hardware wallet to your computer, and then all be sent out from your computer to these third parties. You are exposing your seed phrase to the same risks as any other hot wallet.