Good question.

With open source you can audit the way the code creates the random number.

The are a bunch of tried and tested methods that can be used.

Have an electrical engineer compare the device with the free/libre hardware designs, have a security person review the hardware and software designs, and maybe run some tests. In short, it's hard to know with certainty but we can increase confidence. I haven't heard of a Coldcard, though.