But, OK, let's be more more practical and constructive with the discussion. My next question is, will a "hacker" need to have physical access to the device to hack/steal my private keys, or can he/she steal it remotely? Let's pretend that the device doesn't have the Seed/Wallet Recovery feature on.
Since the sharing of the keys, or more precisely the shards of the keys, happens remotely and over the internet, a hack that captures those shared keys could also be orchestrated over the internet and remotely by a hacker. Ledger claims that no keys can be shared without a user's consent, but how do we know that? They have also said that your keys never leave the device and now we know that they can. A piece of code determines whether or not the key extraction is approved. Even if Ledger did create it in a way where you have to approve key sharing, we can't rule out that a malicious party can't rewrite this and allow key sharing without a user's consent.
The code for Ledger Recover should never be part of the universal firmware. They should never have developed it. But since they did, it should have received its own separate firmware. That way, you would have the standard firmware without Ledger Recover and a special one with Ledger Recover. Each user could decide which way to go, but they didn't do that.