[gherkin0]

> If yes, the device can never be trusted second-hand - the OS might have been modified to secretly accept more keys.

That's always going to be a risk with second-hand devices (or even new devices). Who knows what kind sneaky things someone did to a device that they had long-term access to. You can never really totally trust something that you didn't build yourself from the ground up, so you always have to accept some level of risk.

That UI solution was just a random idea, I'm sure there are better ones. Like you said, it's a Hard Problem.