>If a malware were able to snatch the key material that represents the credit card

I'm pretty sure that data is stored in the secure enclave, which is impossible to access by design, root, no root, bootloader unlocked, google approved or not.