The best way to buy a Ledger is right through the Ledger site itself. You can even pay with bitcoin if you want to, so I don't see any reason why anyone wouldn't just do that.
Since personal information from Ledger leaks in all directions, the only way anyone can protect themselves is not to order products using their real name, address, phone number and e-mail. If this is not an option, then all that remains is to look for a local reseller who preferably has a physical store and make a cash purchase.
And yeah, it basically boils down to how much you trust the seller that you're interacting with.
I believe no one wants such devices to be found on store shelves next to cans of beans - but physical stores that sell IT equipment and electronics are definitely a good choice for direct purchase without compromising privacy, of course if paid for in cash.
