Coldcard and Passport are both open source and fully off-line. Problem with Trezor is you have to plug it into the computer. Coldcard and Passport are fully air gapped..
Coldcard has a proprietary secure element. No thank you. Signing transactions by scanning QR codes off screens have also been exposed to have security flaws.
"It is impossible to hack a Trezor without being able to touch the Trezor. It doesn't matter if it is connected to your computer, and the hacker has control of your computer. They won't be able to physically touch/press the confirm button the Trezor. (Nor would they be able to put in the pin number if it is a model T) Now, if you have your seed phrase saved on your computer... that's a different story."
If I’m not mistaken, the creators of Trezor developed BIP39/84 and they are the reason we have HD wallets and mnemonic seed phrases.
Coldcard actually uses two different third-party, known elements, and overall there is more risk plugging your signing device into a computer than using psbt / chip transfer/ QR codes. Personally, I don’t want my signing device to touch the computer. Some people might be more likely to lose their seeds, so a device like Jade or BitKey might be ideal. Ultimately I think all the devices we have talked about are very secure, and it is just a matter of preference. “The COLDCARD Mk4, unlike its predecessors and other products like it on the market, has two Secure Elements (SE) : Microchip’s ATECC608B (which we will refer to as SE1) and Maxim’s DS28C36B (referred to as SE2)” https://blog.coinkite.com/understanding-mk4-security-model/
AFAIK there is no such thing as an open source SE.
Trezor's secure element is open source. Stated this in the notes above.
Only 1/3 of the Trezor devices currently available has a SE. I see nothing on their site about the SE being open source. Last time I checked, a few months ago, there were no open source SEs on the market anywhere.
Correct 1 out of the 3 optjons they offer has an SE for those that think they need an SE. Hahaha you obviously don't dig deep enough. You could have always looked into what kind of SE they use, and the license associated with a quick web search. Just read the headlines. Good for your "toxic bitcoiner". 😆