I’d like to sign messages with trezorctl and enter the message on the computer. however, I don’t want the Trezor to pass the signature back to the computer (as it happens by default with trezorctl sign-message), rather it should stay on the Trezor and be displayed only on its screen (Model T), preferably in the encoding of my choice (e.g. binary, hex, base64).
how can I do this?
Write a custom firmware 
What is your usecase? Signature (of a known message no less) is not generally considered private data.
the use case is what we’ve been discussing in the other thread (forum.trezor. io/t/generating-mnemonics-with-a-trezor/11578/2), using deterministic randomness as a source for generating child mnemonics. I had signatures in mind, and the problem is that going either route causes the (now-)secret to leave the Trezor. displaying it only on the screen would allow constructing a mnemonic with the help of a word list.
of course, implementing BIP85 (github. com/trezor/trezor-firmware/issues/1528) would make this unnecessary.