Depends on the hardware wallet. I can't possible speak for all hardware wallets, but most do not store private keys but instead derive them each time they are required and "forget" them when you unplug the device. The passphrase is another matter. There are some which do not store the passphrase, some which do, and some which can do either. Ledger wallets, for example, give you the option to attach the passphrase to a secondary PIN (in which case it is stored in the device), or to attach it temporarily each time you want to use it (in which case it isn't stored in the device).
I was mainly referring to a Trezor hardware wallet since it is open-source and on-topic. Because in the case of closed-source wallets like Ledger, it is anyway very difficult to figure out or verify what it is doing behind the scene. From my point of view, keeping a passphrase inside a hardware wallet defeats the purpose of hidden wallets. No matter how well it is implemented: it shouldn't store it. Period.
I said before there are DIY hardware wallets who are doing exactly that with non-consistent file storage, and memory gets deleted each time when device power is turned off.
Two examples I know are SeedSigner based on Raspberry Pi Zero, and Krux Wallet based on M5StickV device... importing seed words is quick for both of them with QR code.
Both of them are relative cheap to make and you won't be targeted by anyone for using general use devices like this not connected with cryptocurrencies.
They are more like signing devices than hardware wallets, but I see no reason why someone couldn't release something similar that is not DIY.
What happens if you accidentally scan the mnemonic QR-code with the camera of your smartphone instead of the signing device? Will an attacker be able to intercept it and quickly steal your savings? I think the answer is yes, they can, which makes me think that storing your seed in a form of QR-codes is not a good idea in principle. With signing devices as you mentioned above, it is very convenient to spend bitcoin from a paper wallet or something. But it is not at all suitable for everyday transactions due to the necessity of importing the seed every time you want to send someone bitcoin. It might work for cold-cold storage because you spend from it very rarely, but in such a case, there is no point in keeping QR-codes for your seed. The more time you spend directly interacting with your seed, the higher the chance of messing everything up and compromising your seed. Just my thought, I may be gravely mistaken.
