Ledger was hit with a phishing attack that leaked a large amount of user info. Trezor has been cracked.

Attack vector of shitcoins is a tradeoff. Also KYC from wallet maker/seller. DIY wallets don't have KYC of any sort. multi coin wallets often rely on 3rd party services that can fix you.

I'm a proponent of diy wallets (specifically seedsigner), using sparrow desktop, connected to your own full node. This is the "don't trust, verify" technique.