If you're referring to the firmware update that allowed the Recover "option" to work, it doesn't matter if you sign up for it or not; Ledger admitted they can pinch your private keys out of the secure element at any time, which they had previously said wasn't possible
YES.
Anybody who says you have to use the buttons to confirm actions is assuming that to be true. Since Ledger's code is closed, no one but Ledger knows for sure what their code actually does. Even Ledger admitted they can't prove their code doesn't have any backdoors. They lied, saying "...because you can't disprove a negative," but that's nonsense. Ledger can't prove their code doesn't have backdoors because Ledger's code isn't open.
Anyone who tells you Ledger's code is safe is making assumptions about their code, and that's very dangerous.