- use a hot watch-only wallet on that machine and a decent hardware wallet to sign transactions (I don't speak of Ledger crap here); always, I mean ALWAYS, check carefully all transaction's outputs details on the independant display sceen of the decent hardware wallet; NEVER miss that step
I have to work on storage encryption and could you please explain your last point ?
My main message is:
A software wallet that secures private keys can't surely protect them from sophisticated enough malware on the same device. The malware could intercept the software wallet, steal keys or manipulate a user's transaction's outputs to divert funds to the malware author's address(es).
A watch-only wallet does not contain private keys and therefore can't leak them and can't sign transactions on its own. It needs a signing device like a hardware wallet which protects the private keys from internet attacks or malware.
Using a hardware wallet usually has two involved components: a watch-only software wallet, likely on an online device for interaction with the user and the hardware wallet that takes a transaction to be signed, displays the transaction's details on its own independant display for verification purposes by the user BEFORE the hardware wallet is commanded by some independant user interaction, e.g. with a physical button on the hardware wallet to sign the transaction and pass it signed back to the software wallet on the online device to broadcast it to the network.
The purpose to always check the transaction's details before you sign them on the hardware wallet's display is that no malware on a potentially infected computer running the watch-only software wallet part can manipulate the transaction details before it is passed for signing to the hardware wallet. You want to make sure your transaction's outputs are exactly what you expect them to be: only your intended output destination address(es) and your wallet's internal change address to return excess coins of spent inputs back to your wallet, usually.
Thorough verification of all output addresses is not entirely easy if you assume the computer and your software wallet component could be infected. To exclude manipulated output addresses by some malware, you would need a second independant offline device OR your hardware wallet verifies and shows that the change address output actually belongs to your own wallet.