The amount of data that the device receives is only exactly what it needs.
It's not programmed to do anything with extra data.
The device tells you what it's doing; you sign it (normal HW stuff).
Then it transfers the information to your phone with a QR code.
You then confirm the same information on your phone and broadcast the data to the Internet.

Both your phone and your offline hardware device would have to be hacked with the same exploit in order for this to fail. Seems pretty unlikely, especially if you verified and compiled the code yourself. Anyone without those technical skills needs to acquire the hardware device from an entity they trust (or at least someone who will never have access to their phone). Theoretically you could even have an offline device whose sole purpose is to read QR codes which would make it quite impossible to leak private keys from the device.

Also, you should never acquire a hardware wallet from someone and then also use that person's frontend node to broadcast transaction. This would give the same entity access to both endpoints. In theory such an exploit could still be intercepted and squashed when filtered through the QR code to the phone, so the app on the phone also shouldn't be the same person we get the hardware wallet from.

Regardless of all this I'm grateful to have access to Hive's recovery feature.
This is truly the ultimate oh-shit button that many are taking for granted.