It uses secure element (I don't like it) although they have followed the trezor safe model and use secure element with open firmware, so, in theory, you could test the specification and check all the inputs and outputs generated by the chip.
From my point of view, I rule out any HWW that uses secure element, except for what trezor is building with Tropic.
Secure Element are black boxes, by contract you can't even disclose the vulnerabilities found.
In cryptography there should be no trust.