Would it be risky to have account be un-hardened considering that this wallet will never be used for payments? (except for consolidating and moving to other cold storage wallets)
Unhardened derivation is only risky if someone is able to learn the xpub and any of the child private keys. In that case, the xpriv corresponding to the xpub can be derived. So if you think your security if the private keys is good enough, then unhardened is fine.
Do you know how various exchanges/etc. deal with this issue?
I don't think exchanges generally have separate accounts like that dedicated to each user.