I think the paranoia stems from the HID inserting winflag+r, powershell curl https... which installs keylogging software. It can do that after a 10 minute or so countdown timer so it might not seem immediately obvious, or might seem like part of a auto-update with powershell postinstall.

The paranoia stems from this being a suspiciously cheap device that is meant to be ordered in bulk from China.

> As for inserting keystrokes, that will be obvious if it enumerates as a keyboard.

This is true, but this also doesn't need to happen at insertion time. An HID keyboard can show up, say, 3 hours after you plug it in.

I miss grsecurity's patch set so much. It had an option to defeat this (deny all USB device enumeration post-boot, i.e. after the kernel executes init).

There are plenty of USB keyloggers available for purchase right now.

While I can try and conjecture how those might work, that's not really in my lane.

Those work by sitting between the real keyboard and the computer, often deliberately designed to appear as an innocuous adapter (say, a USB-A keyboard plugged into a PC's USB-C port or vice versa) or extension cable.

The better attack vector would be the programs you need to use the display

You need to install an executable on your machine.