Or bip85 and some passphrases to keep it simple. Multisig is tricky.
I don't think BIP85 or passphrases protect you in case of malicious firmware
reply
Nor malicious hardware
reply