To clarify (?):
* No device will protect you, if you got the wrong address to start with.
the discussion was about finding methods to prevent that,
BIP70 with a correctly enforced certificate chain being one suggestion, in which the device can help (by enforcing said certificate chain)
Exactly. AFAIK Trezor plans to implement this BIP once it's accepted (It's in the final draft stage now). But provided that BIP70 is used, device may be able to protect you against address replacing malware.