All of this needs considered, from the hardware through the OS, however microkernels and boot from network also help. Hardware locked computers also help to. So a secure audited OS (Debian or derivative etc.) flashed onto usb, that can be crc checked by users. If this is read only then we are in good shape. The SAFE network does not need to store any data locally but looks like it contains all your data and more (via vfs etc.).
All of this needs to be in the mix. I n terms of hw wallets, I love them, but how do we know the app that's used is not compromised? i.e. ledger wallets need the app to run, what if it's swapped out and you use my bad app, looks the same but in background transfers coin to me etc. All of this also needs to be considered as well.
So when SAFE launches I think we have a critical building block for a much more secure future, it's only a component mind you, but a component we absolutely need in the case of security for the sake of privacy and ultimately freedom.