Oh, it's worse than that.
A USB attack-widget isn't limited to just one VID:PID pair. It can present itself as as hub with as many VID:PIDs behind it as is useful. (This isn't new or exotic functionality; the very first USB thumb drive I ever owned did this as a built-in, maybe 20 years ago.)
So, for instance: A single physical widget can present as a thing that makes Windows install vulnerable software, and as a keyboard that issues commands hook that vulnerability, and as a storage device that provides a payload, while also [or ultimately] appearing as the fully-functional device that the user actually intended to use.
Game over.
The end-user might see a brief flurry of stuff happening while this goes on, but that's no big deal: End-users are already accustomed to seeing that kind of thing when new hardware is introduced, and clicking whatever button it is that they're required to click in order to proceed.