Hello, when using a cold wallet like KeepKey, for example, do I need to use a private key(s) to sign every SEND transaction?
All standard P2PKH and Multi-Sig bitcoin transactions must be signed.
If not, is there a situation where private key MUST be used and 12-word recovery phrase won't be sufficient?
Private key is generated from the recovery phrase. As long as you have the recovery phrase, you should be able to generate any necessary private keys.
I mean if a 12-word phrase is compromised, so can be the private key!
Correct.
If the recovery phrase is compromised, then all of the private keys that are associated with that recovery phrase are also compromised.
But then simply from functional (not security) point of view, what can private key do that a 12-phrase can't?
Private key can be used to sign bitcoin transactions. Recovery phrase can not be used to sign bitcoin transactions. Recovery phrase can be used to reconstruct the private key so that the private key can be used to sign bitcoin transactions.