You can see their license here: https://github.com/Coldcard/firmware/blob/master/COPYING-CC
You can understand why this distinction is important here: https://nitter.cz/sethforprivacy/status/1651039483419058177
Code that is not actually open source is bad for the product and bad for the ecosystem. If no one is actually allowed to use their code in other products, then you are going to have far fewer sets of eyes on the code since there is far less incentive for people to spend their time examining it. Open source code encourages competition which furthers development, which ultimately is good for bitcoin.
I'm getting fed up of various projects claiming to be open source when they aren't, or claiming their not-open-source license is just as good as open source when it isn't. Open source has a very specific meaning and is very important to the ecosystem. Coldcard is not open source.
Let's say ColdCard left their code open-source and there comes someone with ten times more money for marketing, manufacturing and so on. They take ColdCard's open-source wallet, create a new hardware wallet, spend ten times more in marketing than coldcard and will build a great business on ColdCard's work.
I don't see anything wrong with Verifiable Source Code. It's a business, I think it will even demotivate people to start a business if their work might be copied super easily. I don't think anyone shares the belief of Nikola Tesla in a modern capitalism where you are nothing without money.