Yeah, I think this recently changed. Trezor used to require me to enter my pin before showing balances, now they always show, even after a restart. I'm currently in the process of switching to ColdCard.
Ok, WTF? So I unlocked the Trezor with Sparrow and then went to https://suite.trezor.io/web/ to see if it works there. It indeed worked and showed some sats ... without having to confirm anything at all on the Trezor. That is a bit scary. Once unlocked, does it surrender the xpubs to all apps running on my system? That is scary and the first time I notice this happening.
Discussion
Given that Trezor was not updated in probably 6 years, it must always have been like this. With such API calls being able without any interaction on the device, I wonder if that could be used to hammer the device with these requests and use timing information to extract secrets over millions of API requests.