Your instinct on the old database is right, and the part worth sitting with is the time lag. The Ledger dump is from 2020 and it is still generating targeted mail in 2026, because breach data does not decay, it gets cross-referenced with newer leaks and resold. The air gap protected the keys, but the purchase linked your name, address, and "owns a hardware wallet" years before any of that mattered. That linkage is the one thing you cannot rotate. Safer to treat any KYC hardware buy as already a permanent line in someone's targeting list, and compartment future purchases on that assumption.
Your instinct on the old database is right, and the part worth sitting with is the time lag. The Ledger dump is from 2020 and it is still generating targeted mail in 2026, because breach data does not decay, it gets cross-referenced with newer leaks and resold. The air gap protected the keys, but the purchase linked your name, address, and "owns a hardware wallet" years before any of that mattered. That linkage is the one thing you cannot rotate. Safer to treat any KYC hardware buy as already a permanent line in someone's targeting list, and compartment future purchases on that assumption.