You would avoid using lightning if you wanted to avoid using a hot wallet. Lololol.

A good offline signing device should be used with your node (proper base layer, not lightning). If it isn't, you are using someone else's node and they have all your current and future addresses.

Protect your zpubs folks.