Making a hot wallet as cold as possible

Poke holes in my plan to have a “cold” metamask wallet since Ledger blew themselves up:

Step 1: Create a new wallet in a separate browser from where I do my day to day trading. This is to ensure if my very active wallets sign a malicious transaction it doesn’t effect other wallets in that browser even though I don’t believe it’s possible.

2: Dont sign anything on the cold wallet, should still be able to receive ethereum and send to my exchange without any other smart contracts necessary.

3: Dont store seed phrase anywhere except a piece of paper, full Norton scan my computer first to ensure no keyloggers/screengrabbers or malware is present that could compromise seed phrase

4: Obviously never interact with tokens and NFTs I find are sent to me

What could possibly go wrong?

Also would be curious to know how major companies manage their hot wallets