Specifically two questions that are interesting to me:

  1. Are private keys accessible?
  2. When are they created and how can we find out/prove it?

in more detail:

  1. Did I understand correctly that even when connected to a computer connected to the internet, the private keys cannot be accessed and the only thing that can be seen is the signature/signed transaction? (Let’s take the Ledger Nano S as an example)

  2. How do I know that the phrase I see seeds is new and has not been seen by the plant before? How can I be confident that when I get the initial statement/access to the private key, no one else has before me?

MManke is a new contributor to this site. Be sure to ask for clarification, comment and answer. Check out our Code of Conduct.

Did I understand correctly that even when connected to a computer connected to the internet, the private keys cannot be accessed and the only thing that can be seen is the signature/signed transaction? (Let’s take the Ledger Nano S as an example)

Well, if you connect a hardware wallet/signer to a laptop, the hardware wallet/signer will provide signatures on demand so transactions can be created and broadcast, but it will never provide private keys for that laptop. The private keys remain on the device’s wallet/signature.

How do I know that the phrase I see seeds is new and has not been seen by the plant before? How can I be confident that when I get the initial statement/access to the private key, no one else has before me?

You can create a new seed phrase (or enter an existing phrase, supported by Coldcard dice rolls) on the hardware wallet/signer, but you trust the manufacturer that they have not previously uploaded a set of initial statements to the hardware wallet/website. Hence it is important that you buy directly from the manufacturer’s website and not outside sellers who may have tampered with the wallet/site of the device or sell you a replica. One thing you might want to consider if this interests you Multi-signature or threshold schemes. This will allow you to use many different products and manufacturers and reduce the risk of any manufacturer being harmed. (Now they will not be able to spend your coins knowing the seeds on the machine they sold you.) It does introduce complexity though, practice first on testnet/signet and make sure you understand what you’re doing.