Since the BIP38 EC multiply procedure cannot guarantee a sufficient entropie for the private keys, I still have to trust the manufacturer of the physical bitcoin to be honest.
Is that correct?
The parameters passed to the EC multiply are different depend on whether you include lot and sequence numbers according to the BIP.
In case they are being included, the factor passed to EC multiply is SHA256d(scrypt(...)) so all of that has to be reversed in order to get the passphrase, even if the factor used for EC multiply is discovered.
If there is no lot and sequence numbers then the factor is just scrypt(...) where most of the parameters are known except for the passphrase and salt. The salt in particular is a 32-bit random number however this is disclosed to the user at the end.
This means that the difficulty of reversing scrypt is the only defense stopping manufacturers from knowing the password. In addition if lot and sequence numbers are used there is also the difficulty of reversing SHA256(SHA256()).
Keep in mind all this applies to the intermediate code only (that's given to coin makers) and not the final BIP38 encrypted key.
If so, what is then the purpose of BIP38 EC multiply?
It's to let manufacturers create an encrypted keypair without knowing the password. It also has the side effect that the private key has to be created along with the address, which some people might like since the manufacturer cannot know the private key in the first place.