That’s a whole other thing. It’s bee researched and documented. It has to do with their secure element. You can find it and make a decision if it affects your personal threat model.

Kind of. The developers of Coldcard do not do not have the security experience required to properly maintain a secure codebase.