“Backdoor would mean that we control all ledger devices and could run automated updates for example… That’s not the case. Will never be the case. Only you can use functions on your ledger. No one else can enter your pin code and press those buttons…”[1]
Well, there was no way of accessing sensitive data on the secure element chips either. They have been telling us for years that it's impossible. Turns out, it's quite possible if they integrate the right code. If one day they go real evil, that code would not need your physical button presses at all. No one can verify how the system works, and the trust is gone following their public suicide.
Given that the Recovery feature doesn't make sense in cases where a user has set up a passphrase since a seed phrase alone is insufficient to get access to coins, it would make sense for Ledger developers to include a passphrase into this encrypted transfer scheme, especially considering the fact that it is equally important for a successful recovery and already sitting in a device's memory.
Do you think the target audience who can't store their seed safely and need Ledger Recover to do it for them (or think it's a good idea) use passphrases? I don't.