I'd recommend the Trezor T to anyone all day, every day.

It's FOSS, which fits perfectly with the ethos of don't trust, verify. Enable the SD-protect feature, use a pass-phrase and always check the Suite software signatures using GPG, and you're good to go.