If someone steals your Trezor wallet they can potentially extract your seed words and steal your funds IF you are not using bip39 passphrase, 25th word that only you know and it is not stored on your hardware wallet.
Why should I enter a password? Why does it keep the mnemonic inside the wallet? It adds extra steps to the entire procedure. Keeping a mnemonic without a password should be equally secure.
It is not necessary but it is better to use 24 words and most wallets are now using that as default, and Electrum with Trezor is working just fine.
Oh, you can use 12 too? Nice. I just consider not practical having 12 additional words on your mnemonic, since both options offer you the same security.
Use your common sense, no reason for connecting your hardware wallet with publicly shared or infected computer, and there could be some keyloggers installed for catching what you are typing and your passphrase.
My common sense, tells me that if there are no private keys on the computer, then no hackers can get my money. Changing address while you're pasting it from trojan is the worst I can think of. As for the passphrase, what is it? PIN? An alpha-numeric password? What happens if I forgot it?