[lxgr]

Wow, and all that runs on the SE? That would be really impressive!

It's still not ideal though, given that every additional feature or library blows up the trusted code base and increases the scope of any audit as a result.

Well, I just hope the existing wallets will remain supported going forward.

[popol12]

They have a modular approach where the OS is not updated very often, and over it are running userland applets that define their own UI and features and can be audited separately. These applets are built using Ledger's SDK which make use of the security features of the OS through a bunch of scrutinized syscalls.