My take - the take I had adopted for nostr:npub1j9kttlc86w63emmldd4h74rekyqpksqup6p9trhp5gjsf374qlyszvuswx - is that a "secure element" does not get in the way of verifiability iff it does never handle the private key material. It may contribute "true randomness" and it can be used for a key encryption key but the parts that actually touch the keys must be public source and binaries reproducible and the device itself has to show the actual hash of the binary you are trying to install prior to installation.