Private keys that control substantial amounts of sats should never touch the internet or a device connected to the internet. If they do touch a general purpose computer, the computer should remain offline until it is destroyed, and all possibility for wireless communication should be removed.
Use air-gapped signing devices for signing transactions. Dice for additional entropy, if you’re paranoid.
My 2 sats.