Leaving aside the risk these genuine firmware updates possibly messing up a device & having to access via the seed phrase what's the bigger security risk?
I never heard someone messing up trezor wallet after update, and you should be fine unless power cuts down in the middle of the update, so it's better to do it with laptop.
Even if something happens you can always reset trezor and install fresh firmware again from trezor suite.
As long as you donwnload from official sources everything should be fine.
How do i know a pop up on my screen is a genuine update? and who says its not a hacker pretending to provide a genuine update 2.7.0 say it was a hacker could they take my coins from me entering the password ?
You can confirm the code on trezor website and github page.
Trezor password can easily be changed any time.