> You can also send to another malleated seed so the Passphrase can be changed too

Yes, but that is much more costly and risky (visit all backup/storage locations, rekey, retest) than a PIN change which can be done instantly.

> PINs are nearly identical in threat model. Pin counters versus the literal nonadecillion combinations of passphrases.

A passphrase can be brute forced until the end of time. There is overlap between what you can remember, and what is secure is small.

If you have to write down your passphrase somewhere to be able to use it, it may be best to instead use a 2nd seed and do a 2-of-2.

> Because regardless the security there is additive. Why not split up your PIN AND have a separate passphrase?

Instead of that we could have a longer PIN and split the PIN into 3 parts!

This assumes security has no "cost" and is *always additive*. It is not.

Adding more moving components can make it weaker as you get the weakest path as your security level.

With a HWW(seed+passphrase inside) + PIN, and then separate seed+passphrase, each method has distinct locations.

But with HWW(seed) + PIN + passphrase, and seed+passphrase, you now have the HWW path (which is the most common) making it more likely your passphrase gets found. Because every time you have to use it, you have to go there, someone might be following you.

They get a headstart on stealing your physical backup just by monitoring you, and all they need is the seed now.