Sure. The basic idea is that signer can choose a ECDSA nonce (k) that they know, and leak the private key. If I choose a known nonce for my signature, I can recover the private key from the published transaction instantly. With some ECDSA magic, you can even produce a nonce that is only recoverable with another key that you hold. So a hardware wallet for example can backdoor transactions to leak the seed through the signature, or a specific key, or put any data there that they wish. The "offline signing" defense is only good for one way, as there's always data leaving the system which you can't easily audit.

This is only detectable if you have multiple signers signing the same transaction using the same private key and the same method for generating the nonce, and you compare them before broadcasting. So perhaps using hardware wallets from 3 manufacturers which all implement bit-identical implementations of the signer (with RFC6070 deterministic signatures), and treating the signed transaction as a private key leak until you've verified they all match.

For ECDSA a single bit bias in the nonce, or a single bit leakage of the nonce through other methods is enough to completely break the cryptography. So we could have hardware wallets that produce otherwise impeccable transactions and signatures, but leak a bit of the nonce in the ordering of the outputs, the lock time, the sequence numbers, and that would still be enough to steal all of the funds.

This stuff is trickier to get right than most people imagine.