There's nothing much you can do against $5 wrench attack if you're already targeted or on watch-list.
While there are few solution such as Multi-Signature and split Bitcoin into multiple wallet (where you attempt to fool attacker by giving wallet with small amount), it's simply trade-off security with trust, convenience or/and losing lesser amount.
So wallet.dat is the safest, yet, the most annoying to keep safe, as you need to keep a physical medium to store it offline, and you need the synced node to transact as well.
No, generally hardware wallet is safer. On few brand, you only have 3 attempt to enter PIN before the HW wallet reset/delete everything.