Hi i went onto Trezor security suite and was asked to install a firmware update 2.7.0, all went ok. But unlike a Trezor Suite update this was a firmware update that needed me to enter my password on the device itself. (password not seed phrase)

Leaving aside the risk these genuine firmware updates possibly messing up a device & having to access via the seed phrase what's the bigger security risk?

How do i know a pop up on my screen is a genuine update? and who says its not a hacker pretending to provide a genuine update 2.7.0 say it was a hacker could they take my coins from me entering the password ?

If so is this not a major security risk here?