Ledger is closed source and recently implemented features to - supposedly only with your consent - send the private keys off device. I would rather trust Trezor or BitBox02.

You might find my project helpful: https://walletscrutiny.com/