Because the Trezor bootloader checks for SL-signed firmwares, it is impractical to run your own compiled firmwares.

One thing you can do is compile the firmware source code that corresponds with a new firmware update from SL and check that those bytes match the bytes in the firmware signed and distributed by SL.

But what if I don't want all the changes that SatoshiLabs has made? They have been bundling together security enhancements with 'new features' that I might not want.

I only want my Bitcoin hardware wallet to do Bitcoin things. I don't want my Bitcoin wallet to perform ssh logins or display custom artwork just like I don't want my local bank branch to sell hotdogs from their vault, or my commercial flight to also offer skydiving lessons. These represent risks that I don't want to incur -- and shouldn't have to.

Therefore, you are implicitly trusting SatoshiLabs when you upgrade your Trezor's firmware. You are accepting the security updates and the new features, whether you want them or not.