An HW receives a unsigned transaction from the wallet, signs it and sends it back. So first of all it is a computer, not just a dumb storage. The receive/send parts can be done with a cable connection, wireless (bluetooth) or better in a completely air-gapped fashion, so with qr codes or via a removable media (usually a micro SD).

So an HW is technically always offline. Even if it is compromised (hacked firmware) it cannot send the seed to a malicious endpoint. Unless the wallet on the main PC is also compromised; for this reason you should always use HW and wallet from different sources!

Instead, the first time you put your USB memory with a plain seed in a compromised PC, you are over.

My suggestion about HW is SeedSigner, paired with Sparrow. Search HM for more info. But don't trust, verify. Online there are a lot of resources from various companies about their products and the general operative logics. Thanks for time to study and learn.