Generating them on the cold side would be a bit safer, because assuming the hot side is compromised something could substitute the new address for one their own, causing you to give out the wrong address and thus lose any funds sent there.
Wallet consistency check on startup would catch this every time. The only this attack vector would work on Armory is if the entire wallet is swapped (you'd notice), or the data is changed in RAM. In both cases, you got yourself in a position you shouldn't be to begin with.
A way to mark addressed used manually would help. I'd settle for the ability to comment on addresses (in wallet properties) that weren't officially "generated" by [Receive Bitcoins] yet. Maybe it's there and I just haven't found it yet ...
You can add comments to addresses in the Receive dialog.
Generally the best way around this is to create a large key pool on your offline machine, grab the WO and import that to your online machine. This way you don't trust the online machine to compute public keys for you, all the while keeping track of the latest requested address (incrementing a counter).