People should stop using Ledger, it's obvious that they think of their clients as nothing but a number and an income stream.
I completely agree with the above, and even though I see your point about the biggest issue being their capability of extracting their users' private keys, it would be much more ominous/hideous/[add your own descriptor] if they had already done so and if in fact that's where they got that 20% statistic from. That would just be straight-up evil.
Considering this fact, it is easy to conclude that such data can be collected very easily and also connected to the IP addresses with which they are accessed.
Does the use of the device transmit a user's IP address, or is it Ledger Live that does that? Yeah I know I'm no noob, but I'm still an ignorant lunkhead when it comes to computer science.