That is a fair question - and my answer is that some folks are used to using it and don't want to change. Old habits die hard, especially for older folks. What Craig has done with this is provided people with a consumer-grade experience for verifying software. I hear your concerns, but this will likely help people to avoid downloading malware, and give them some exposure to the cool stuff available in Sparrow. The fact that it can be used for verifying 3rd party software is cool af, IMO.
Discussion
Maybe Craig can help me here? ...
Ok, WTF? So I unlocked the Trezor with Sparrow and then went to https://suite.trezor.io/web/ to see if it works there. It indeed worked and showed some sats ... without having to confirm anything at all on the Trezor. That is a bit scary. Once unlocked, does it surrender the xpubs to all apps running on my system? That is scary and the first time I notice this happening.
Yeah, I think this recently changed. Trezor used to require me to enter my pin before showing balances, now they always show, even after a restart. I'm currently in the process of switching to ColdCard.
Given that Trezor was not updated in probably 6 years, it must always have been like this. With such API calls being able without any interaction on the device, I wonder if that could be used to hammer the device with these requests and use timing information to extract secrets over millions of API requests.