Given that Trezor was not updated in probably 6 years, it must always have been like this. With such API calls being able without any interaction on the device, I wonder if that could be used to hammer the device with these requests and use timing information to extract secrets over millions of API requests.