Well, there was no way of accessing sensitive data on the secure element chips either. They have been telling us for years that it's impossible. Turns out, it's quite possible if they integrate the right code.
Hardware wallets, like mixers, are in what I like to call "the trust business". They should never lie, because if they lie about things you can verify, you should assume they also lie about things you can't verify. This should basically be the end of Ledger, that would be the best way to punish them and deter other hardware wallet manufacturers from doing the same.
But we don't live in a perfect world, so they'll probably just get away with it. Again.