Children created by these wallets are not hardened
They are m/44'|49'|84'/0'/0' for trezor one/T and m/49'|84'/0'/0' for ledger X/S. All subsequent children aren’t hardened.
If an xpub is leaked for a mnemonic phrase + passphrase, if you have
any of the children’s private keys, you can compromise the entire
wallet linked to the xpub and all other children, hardened or
non-hardened BUT the attacker will not be able to compromise any other
meomonic phrase + paassphrase you have as it has a different xpub, and
ultimately different children
This is the explanation from bip32: “knowledge of a parent extended public key plus any non-hardened private key descending from it is equivalent to knowing the parent extended private key (and thus every private and public key descending from it). This means that extended public keys must be treated more carefully than regular public keys.”
I want to know how it’s even possible to leak a childs private key on
a trezor or a ledger as none of the outputs are able to leak these
Private keys should never leave hardware wallets without any extraordinary cause. Usually, only the master seed is transferable as a possibility from a hardware wallet device. And there are not many reasons to do so. If an attacker is able to backdoor your device and steal keys, the fact of sharing xpubs would be irrelevant.
