At a minimum you should keep your seed recovery mnemonic sealed in a tamper evident pouch. It’s more important to keep it secret and secure than it is to keep the signing device secured (because loss of the secret puts not only current holdings at risk, but any future balance as well).

Loss or (malware/Trojan) compromise of a signing device MIGHT result in exposure of your secret. But the PIN and any wipe threshold on repeated PIN failures MIGHT save you.

So, keep the seed MORE secure than your hardware wallet.

I recommend deriving new seeds (BIP85) off the one that you secure for your hardware wallet (or air gapped, dedicated transaction signing system).

I derive new seed (sub-keys) for mobile, desktop wallets, wife’s mobile wallet, and (so far) one for other applications (like NOSTR identities). (You can use the supplemental pass phrase support to derive different nsec keys).