I am assuming a hardware wallet that is not compromised, with software that is compromised.

That is exactly what I do-- generate and compare lists. But I think the clever attack vector would be to wait for several months before the attack. Let the user start trusting the software, as they use up those first 20 or so addresses they compared.

I'm sure it's not a common attack vector. But I'm curious about the math of generating/mining similar addresses, how feasible it is and how much time and power it takes.