I don't think it's just that - the design intent is for the crypto operations to run only on the device and also to depend not just on a key derived from the user password but on parameters built into the device that are not accessible to the software. Just controlling the software is not necessarily enough to take the attempts off-device.