Considering that the guy that reported the vulnerability about Ledger didn’t even mention Trezor, I also assume #2 is correct. Trezor also only fixed the issue after the report, so he would certainly also call them out.
This makes sense, but i wonder why he didn't also report the vulnerability to trezor.
He might have been able to get another bounty reward.
It probably wouldn't be too much additional work to test it on a trezor.
I guess he maybe didn't have a trezor lying around