So they do a protocol bootstrap to link the sensor to the secure zone in some manner rooted in the trust region CA, and then do what they need without divulging secrets, over the USB bus? ok. that (or a more cogent version) would make sense.

If you just package this button up, as a USB device, it's no different, if it can be bootstrapped as an input device "to" the secure zone.

It’s more or less an entire apple watch acting as a secure element, or used to be in the older models.