First is the easy one and works 100% and is safe. Simply get your privatekey and go offline (disconnect the cable or turn on wifi to make absolutely sure)
That is not "safe"... how is generating a privatekey while connected and online and then going offline "safe"? 
How do you know that the key hasn't been sent before you unplug the cable or disconnect your WiFi? 
If you want your paper wallet to be completely "safe"... You need to be offline before you begin anything. The private key needs to be generated completely offline... and stay offline. There are plenty of guides around on how to do this... using dice or flipping coins... or using a Linux "Live" bootable USB/DVD (with no networking enabled) and running the pages offline.