But an email address is a start to lead to a paper trail possibly
So a scammer would need to find the physical trezor know it pin to be-able to install fake FW a put it back safe and sound (very unlikely)
How exactly?
yes, very unlikely, physical threat is the least likely for the majority of people, and as mentioned it would wipe the device and warn you.
Use a search engine,social media,cell phone provider
Even the name linked to the email address when the email address is registered
The email address is a start for a trial of breadcrumbs