Certainly. This is what's known as a supply chain attack. Essentially, someone else gets their hands on your wallet before you do, and can perform a variety of attacks. They could swap out hardware, install malicious firmware, pre-initialize it with their own seed, even swap the entire device for a fake one - https://blog.trezor.io/psa-non-genuine-trezor-devices-979b64e359a7.
As you say, good hardware wallets provide a set of instructions for how to check your device hasn't been tampered with and verify it is genuine, but there is at least theoretically ways this could be bypassed or fooled.
As you say, good hardware wallets provide a set of instructions for how to check your device hasn't been tampered with and verify it is genuine, but there is at least theoretically ways this could be bypassed or fooled.
Interesting.
Having a look at the link you sent it's sad to see trezor relies on a holographic label for authenticity (as far as I can see) - in this case I would definitely only buy directly from them.
I would however imagine that if you are using factory software (signed by the provider) to verify that the firmware on the device is valid (once again using a cryptographic signature over the firmware), the serial number is legit and the device has not been cloned, it should be all good.
Maybe the OP can work authenticity checks into his "Best" hardware wallet article, because if you cannot trust or verify the hardware then all the other device features becomes pointless.