Depends on who you ask. The secure elements on the CC have apparently been hacked. But I haven’t confirmed personally only read about it. And their software is no longer truly FOSS. You can only read the code.
Discussion
Hacked as in; if my cc gets stolen my seed is comprised ?
Yes I'm not a fan of the Foss thing
Yes. The person would need physical access to your CC from what I read. Then they could deploy the hack to the secure element. So as long as that fits your risk model and it hasn’t been plugged into a computer (eg you’re using is truly air gaped) you’re probably fine.
There are ways to exfiltrate data through a QR or SD card airgap. SD card is easiest; write to hidden blocks.
QRs can be modulated in other ways such as delay time, intentional error faults, or other choices.
There is also the fact that anything that exists emits EMI, and the Coldcard is no exception. This can be abused to create signals that contain your seed + can be detected at quite a distance using a box the size of a Pi.