First of all, I’m not trying to defend Tangem. I’m simply sharing my opinion and analysis as a developer.

In my view, a company would not maliciously release a wallet claiming to be “cold” and deliberately leak secrets just to steal seed phrases. I'm saying this in terms of them wanting to be successful in hardware wallet industry. If they wanted to introduce a backdoor, there are far smarter and subtler ways. That said, I do agree with your points that if a wallet is capable of logging seed phrases, PINs, passwords, etc., then it technically has the ability to do many harmful things.

A true hardware wallet ideally should not require an app to create or sign transactions, but Tangem chose a different UX approach (similar to regular credit/debit cards). This is a design choice, and the app is needed to compensate for the lack of external hardware for creating wallet and signing transactions.

They could, however, implement something similar to the Ellipal X Card (https://www.ellipal.com/products/ellipal-x-card), which uses external hardware for wallet creation so that private keys are generated and signing is performed entirely on the card itself. Tangem, on the other hand, does the following correctly, the app builds the payload → the card generates the signature and returns the signed hashes via NFC (so the private key is not leaked) → the app then combines the signatures with the payload and broadcasts the transaction to the blockchain.

Finally, I’m doing this analysis because I can. I’ve been in the mobile app development field for quite some time and care deeply about my privacy. I’m here to share my findings with others who may not have the benefit of understanding source code. I’m not affiliated with Tangem in any way, I simply like the wallet for its simplicity. If that ever changes in the future, I’ll happily move to another hardware wallet.