b) & d) IMO wrong assumption. Trezor is nothing more than a box that keeps public-private keys pairs. On its own it doesn't matter in the end. External soft is needed to sign and forge tx. When Electrum officials say "private keys are never exposed to Electrum" they mean to Electrum servers but not client. Client needs it.
Your assumption is wrong. Trezor is more than a box that keeps public/private key pairs. The transactions are signed within the hardware wallet itself... the private keys NEVER leave the device. They are never exposed to Electrum... server OR client. They are not even exposed to the Trezor wallet software.
You create an unsigned transaction within your wallet software (electrum, mycelium, hardware wallet software in browser or on desktop etc)... The
unsigned hex is then passed to the hardware wallet and the
hardware wallet signs the transaction internally and returns the
signed transaction hex.
Again, the private keys NEVER, EVER leave the hardware wallet.
However no matter who sign and forge tx the fake destination is a real menace for safety and this is my main point.
This is why you cannot be "in a harry[sic] or/and inattentive"...
I still stand by my story.
You might want to reconsider your position.