Hello, when using a cold wallet like KeepKey, for example, do I need to use a private key(s) to sign every SEND transaction?
If not, is there a situation where private key MUST be used and 12-word recovery phrase won't be sufficient?

I mean if a 12-word phrase is compromised, so can be the private key!
But then simply from functional (not security) point of view, what can private key do that a 12-phrase can't?