It still puzzles me how this would work when each transaction needs physical confirmation without the user messing up big time. How can physical confirmation be delayed for three years?
Prove it.
That's the problem with closed source code. There's no way to prove there aren't any backdoors. Even Ledger admitted this.
"There's no backdoor and I obviously can't prove it"
--btchip, Ledger co-founder
No one should be using hardware wallets with closed source code, but Ledger is really good at marketing and most people don't know better.