Your question is hard to understand.
With cold storage/airgaps, this seems like the only real attack vector beside physical of course.
What is "this"?
Does anyone have any best practice advice on how not to leak private keys, through signing via a usb device.
USB devices can't sign. What you do is have a watching only wallet on an online computer. Use that to create an unsigned transaction. Copy the unsigned transaction to your usb drive. Take that to your offline signing machine which has the private keys. Sign the unsigned transaction from the usb drive and copy the signed transaction to the usb drive. Then go back to the online computer and broadcast the signed transaction.
Would this be something that eventual Trezor support could help with? I suspect not unless you could set up multisig with one part on the Trezor device?
Trezor is a hardware wallet and completely separate from cold storage and air gapping.