Can you please clarify if it can be read?
Yes, it can be read.
So it can be read, disassembled, and the public key replaced.
I don't think you can *change* what's there easily, but you could just clone a Trezor, adding in a backdoor. But that's always the case without some sort of self-attestation system. AFAIK