Ledger should have released their new service as a new piece of hardware, this way, people wouldn't have known that just through an online update could the "secure element" be modified so that the private keys could leave the device, albeit in three (encrypted) pieces.