It would be really interesting to get the opinion of an expert in this field. I might send an email to Joe Grand to see what his thoughts on the matter are.
The buttons feed in to the MCU, not to the secure element. The MCU is where the firmware is installed.
According to the Ledger Developer Portal source you shared, the firmware is in the secure element chip, not the MCU.
Furthermore, the Secure Element is also split into two parts: the firmware which is under NDA and is therefore closed-source, and the SDK & application-loaded code which is open source friendly.
If Ledger can write firmware which says "Perform action x if confirmed by a button press", then I see no reason they can't write firmware which simply says "Perform action x".
Wouldn't the same be true for all other events, like broadcasting/sending transactions? Then we are back to trust where we have to "hope" they won't do it. Is Ledger the only company with such an architecture and how is it handled elsewhere?
Based on the info below, the MCU is instrumental for all actions, which makes sense because it's the brains of the whole product. The SE is the safety deposit box.
The MCU sends an Event (button press, ticker, USB transfer, …).
The SE responds with a list of zero or more Commands in response to the Event.
The SE sends a Status indicating that the Event is fully processed and waits for another Event.
If I understand it correctly, the MCU has to ask for the keys, and the SE has to confirm it. The question now is can the optional access by the user be circumvented with the correct code, where their cooperation isn't required?