unencrypted private keys must reside and move around on the client's network connected hardware, at some point, for signing of the send transactions to occur and thus any network connected hardware forms part of the bitcoin network at that point in time.
No, they don't. You can have a dedicated piece of hardware not connected to any network for signing.
Then if you want to transact you create a partial (unsigned) transaction on you main computer connected to network, write transaction onto some storage medium, then go to your dedicated signing hardware, plug this storage medium in, review transaction details, sign it and move signed transaction back to your main computer to broadcast it.
It is crucial to understand that
1. Transaction can be broadcast from any node.
2. To make a transaction you only need a keypair and input details, but you don't need to be connected to network.
Also it is possible to make transactions which require more than one signature.