the data leaks we saw from Ledger and other companies never included any addresses or xpubs.
That's because Ledger didn't have them. Once they launch their Ledger Recover service, they will. They and the companies they're partnering with will have the keys AND the KYC needed to recover the keys.The amount of coins never leaked anywhere which means those who still have those databases can't know who owns what. But since their names are on a list of hardware wallet users, it's reasonable to assume they have coins whose keys they believe are worth protecting with such devices.
Again, Ledger Recover didn't exist back then. Ledger Recover is a new service which extracts keys from users' hardware wallets and includes the user's personal information (KYC).I'm guessing you're not familiar with Ledger Recover, so here are some links you might want to check out:----
Don't be naive, the fact that they only recently announced that they will enable such an option, does not mean that this option did not exist in the past - and considering that their devices are not completely open source, no one could know if it was possible to extract the seed from the device. Their CEO confirmed that everything is based on trust, that is, that the whole thing is whether we believe that the company will not do something bad, regardless of whether there is (or not) the possibility that some feature will be misused in some way by someone who will get access to their systems.
I would not agree that @Pmalek is not familiar with the recover option, because all those links you posted have long been in the topic :
Ledger Recovery - Send your (encrypted) recovery phrase to 3rd parties entities