Thank you for the very helpful information. This releaves a lot of anxiety about this particular area of security. appreciate you guys taking the time to answer my question.
My worry was that a usb keyboard acquired on Amazon, could potentially log keystrokes and then send this to a remote attacker.
I was leaning in the direction of a test bench of some kind, and using usbcap or something to capture traffic from the questionable device.
My hypothesis, is that the piece that would make this challenging, is that the malicious activity would only happen if it were triggered in some way, remotely or by local activity. Not just naively running some code when powered on. Hence, why people have a full career in the subject, likely.