Correct.

During initial wallet creation, use at least two different vendors to generate lists of addresses from metadata. Confirm that these lists match. This protects you from a malicious software wallet at setup time.

Bonus points: save off a copy of these addresses with the metadata, in offline storage. Before receiving coin, confirm that the address is the next one on the saved address list. This protects you from a software wallet that became malicious between setup and receive time.

Bonus bonus points: keep two machines running different OS’s for the coordinator wallet. This way, if either has a vulnerability (revealed by the above) you still have another wallet ready to use.