It sounds very strange that trezor suite would be able to know what the pin is. There would be no reason to buy a Model One, it defeats the purpose of buying a hw wallet. Model One sounds like a medium warm or lukewarm wallet, not entirely hot wallet but not entirely cold wallet.
As Forsyth Jones was kind enough to show and explain how Trezor One does it safely, your assessment of Trezor One is simply wrong. There are numerous Youtube videos that show how Trezor One works. You could have easily informed yourself before you make such statements.
The folks at Trezor aren't stupid, they implemented a quite clever scheme by which Trezor Suite doesn't get the PIN and the mouse clicks don't reveal the numbers on the virtual numberpad that the Trezor One displays.
A wallet is either cold or it is hot, there's no in-between. You can't make a hot wallet cold again. A cold wallet that turned hot by exposure to an online device never can become cold again therefore.