That is why I came to like the combination of SE and MCU where the SE is oblivious to what the MCU stores but the MCU stores all secrets with a key only the SE knows. What's wrong with that? Now the auditor can treat the SE as a black box that yields a key encryption key only if provided with a secret but bricks itself if the secret cannot be provided in x attempts.

You say, Coldcard could do something shady in their not-a-ROM boot ROM? But that's MCU side, right? So can we audit it? Or are you talking about the hardware not being what they claim it is?