You are right, but if you look at
this case, it seems that there is still a possibility that a maliciously signed transaction can give a hacker access to the entire wallet. There has already been a discussion about the fact that it is not wise to store BTC and altcoins in the same wallet - because it is obvious that there is a risk that the user will lose everything if he makes just one wrong step.
And again, we have an unexplained case that began with a user error. In the beginning, the victim claims he did nothing wrong and didn't sign malicious transactions. The reason being that the scammer was idle for about three years and only then emptied the victim's wallet. Or perhaps the hacker only gained access to certain keys on a service three years after the victim allowed that service certain rights. It still puzzles me how this would work when each transaction needs physical confirmation without the user messing up big time. How can physical confirmation be delayed for three years?