Tails.

Be as paranoid as you want. I am good with running it in a fresh VM with no virtual network device attached. Any interactions with it would have to be snooped via keylogger or some kind of screen grabber.

Next level paranoia is run it on an old laptop (with the network adapter, wifi, camera, and bluetooth all physically disconnected) from cd/dvd that I burned myself (and closed the session so it couldn't be edited)

I think there is another project - nos? Nox? Nosx? that is a live linux with some wallet and cryptography tools included.

If you run a bitcoin node, it's pretty easy to have an electrum service running, and then use an electrum client to connect to it and load up a wallet from seed, long enough to sign, generate addresses, or sign a psbt. Not surenif is more or less secure, but you could probably do the same with Sparrow wallet on desktop.

The issue I come back to is where data is at rest. If you have your wallet loaded up in a hardware or software that saves its state, then that opens a whole bunch of attack surface. If these are all cleared, reset, destroyed, so your wallet isn't saved at rest, then all your attack surface (at rest) is how your seed is stored.

This applies to multi-sig as well. I believe at least one of your required signatures should REQUIRE you to rebuild a signing device from a seed. But hey, that is me. You do you, right?

I wrote a long-form post on this topic, if this isnt long enough!

nostr:naddr1qqxnzd3c8q6ryvenxsensve5qgs9dnzu4uwa6vfpskgsax7qwvd554gev3fmg0l629g5msatladnasgrqsqqqa282veyl5