I've been running an Umbrel with many LN channels for over 2 years now. The only issue I've encountered was when I installed too many apps from the Umbrel App Store, then the LND started misbehaving and my node was going offline regularly. I uninstalled most of the apps and had no issues since.

The on-chain wallet which is associated with your Lightning node must be online in order for LN to work. So as far as I know, you cannot connect a HW wallet to any LN node's on-chain wallet, Umbrel or not.

You should think about such an on-chain wallet as part of Lightning, not as a standard Bitcoin wallet. Umbrel did a great job changing the UI so that users do not feel like they are getting a standard BTC wallet with their LND (Lightning implementation that is default on Umbrel). [If you are interested what exactly: Both Lightning and on-chain balances are in the "Lightning" app, and with the On-Chain you have buttons called "Deposit" and "Withdrawn", not "Receive" or "Send"].

If you want to connect a cold storage to your Umbrel, what you can do is to create a separate wallet though an app you can install on Umbrel like Spectre Desktop and connect Trezor/Ledger to that. This is the recommended way when you are using something like BTCPay server to accept on-chain transactions using Umbrel.

Anyway, overall, I've had a great experience with Umbrel so far.

That being said, I know that some people who are experts in BTC security have concerns about Umbrel in general – I have yet to discover what are those concerns and if they are based.