If the attacker it tech savvy, he can decode the SLIP39 mnemonic to bits to see how many required mnemonics and how many backups you have.
That information is certain unlike judging just from the word which is a representation of a 10-bit segment.
The attacker does not need to decrypt everything down to the bits, since the 3rd and 4th word contain information about share groups and the group threshold,
source. In addition, as I wrote above, the fourth word can only have 4 options, so it can hardly be called a full-fledged 10-bit segment, information about the fourth word could easily be encoded using 2 bits (00, 01, 10, 11), but Trezor, for some reason, decided to do otherwise.
Also, an attacker does not have to contact the converter every time, but rather create several tables of correspondence between 3 and 4 words to possible backup options in advance.