However, even if the user turns off that option, can we say with certainty that the app still does not (secretly) collect data and send it to someone for analysis?
Uhm... what about the key extraction code that's not built into the firmware?
I seriously do not understand why anyone is trusting Ledger at this point. What ever happened to the days of Bitcoiners saying "Don't trust. Verify." Now, it seems to be "Don't trust, unless the company's CEO wears at least nine rings while defending key extraction firmware. Nine rings or more makes it okay."
There are only three safe uses for a Ledger:
Door stop.
Target practice.
Decoy wallet.