Many reasons doesn't add up, the device seems is genuine regardless the origin where user bought it because of the genuine check, ledger live app was downloaded from official app store. They even setup the device (for trial) then reset it before using the actual address and saving the seed means the device is not tampered and don't have any pre-generated seed.

I could only think is the a users fault, leaking the seed from somewhere else.