USB devices can't sign. What you do is have a watching only wallet on an online computer. Use that to create an unsigned transaction. Copy the unsigned transaction to your usb drive. Take that to your offline signing machine which has the private keys. Sign the unsigned transaction from the usb drive and copy the signed transaction to the usb drive. Then go back to the online computer and broadcast the signed transaction.
I am no expert on malware/viruses/key loggers, but it would seem to me that this is the only practical risk when using digital media that might expose private keys. I seem to remember reading something on the armory site saying this was a remote risk, but a risk never the less?
Trezor is a hardware wallet and completely separate from cold storage and air gapping.
I know, but I was wondering, if you had a multisig cold storage with one of those signers on the trezor device you would get the benefit of effective multi-device/multi-sig? i.e. someone would need both the cold storage machine and the trezor device to sign, and the above leakage risk would be mitigated.