"shouldn't" is always what the answer will be.  The code needs to be open source, then we can confirm "shouldn't" is correct, otherwise ledger should just say "trust us, it shouldn't".  

Even if the code was open there are bugs in code that make it a "shouldn't".

021da48107

bitcoin

Ledger clarifies how its firmware works after deleted tweet controversy

phygit

> shouldn’t be able to copy the device’s private key without the user’s consent

The word "shouldn't" doesn't exactly inspire confidence.