That’s very easy. Step 1) suppose the secure element is backdoored Step 2) stay air gapped forever Step 3) input your own entropy from dice rolls Step 4) after signing a transaction, verify the transaction signature on your own node before broadcasting (which I believe but am not certain is done anyway)…just in case the signature is invalid and merely an attempt to disclose private key or seed or something else nefarious. Step 5) recognize that after the above, a back doored chip can do nothing nefarious other than sign incorrectly, in which case you need a new signing device/hardware wallet.

Our design takes that into consideration and simply do not trust any single chip alone. You could say the same about all chips in all devices.

Step 1: Don't rely on a secure element in the first place as most use cases are fine with a stateless device. Step 2: Save a truck load of money. The end.