The fact that one can upload new firmware does increase the risks. For one thing, a hacker or a rogue satoshilabs employee could get his malicious firmware signed
No, because those malicious firmware won't be digitally signed. We do use ECDSA, so the firmware signature uses the same strong crypto as bitcoin itself.
Suppose that one day a client tries to use his Trezor, where he put all his BTC, and it shows "warning, firmware is unsigned,do you want to continue?" What is the probability that he will click "yes" (and then enter his passphrase when the device asks for it), rather than calling the Trezor hotline?
As said above, uploading unofficial firmware erases internal memory, so even after using compromited device and clicking "I take the risk" (I would not recommend that), nothing happen, because Trezor is completely empty.