Children created by these wallets are not strengthened
m/44'|49'|84'/0'/0' for trezor one/T and
m/49'|84'/0'/0' For Ledger X/S. Not all subsequent children are strengthened.
If xpub leaks a mnemonic + passphrase, if you have any of the keys for the kids you can hack the entire wallet associated with xpub and all the other kids, solid or unmasked, but the attacker won’t be able to compromise any other meomonic + paasphrase because it has different xpub, and ultimately different kids
This is the interpretation of bip32: “Knowing the parent extended public key as well as any uncapped private key descending from it is equivalent to knowing the original extended private key (and thus every private and public key descending from it). This means that extended public keys must be handled more carefully than regular public keys.”
I want to know how even a child’s private key can be leaked on a card or ledger where none of the output can leak
Private keys should never leave hardware wallets without any unusual reason. Usually, only the main seed can be transferred as a possibility from the hardware wallet device. There are not many reasons to do so. If the attacker was able to hide your device and steal the keys, the fact that xpubs shared it would be irrelevant.