Note that all newly created wallets are HD wallets. "Descriptors" and "legacy" refer to the internal structures of how the wallet manages keys and scripts. Descriptor wallets use output script descriptors specified in BIPs 380-386. Legacy wallets are just a bunch of keys that may or may not be generated deterministically (depending on the wallet version) and have some confusing and unexpected behavior when it comes to determining what transactions belong to the wallet.
But I can't find any good documentation on how to store and handle this for a cold wallet. What am I backing up there on paper and how do I get it in a simple way?
The implementation of descriptor wallets is entirely transparent to the user. The user should not feel or have to do anything meaningfully different with a descriptor wallet than with a legacy wallet. As such, backups are done in the same way - you must backup the entire file. There is no paper backup method.
How do I get the private key to an address?
This is one of the most noticeable differences. With descriptor wallets, you cannot export the private key for one address. This is because a child private key combined with the parent public key can be used to compute the parent private key (and hence all other child private keys). This is a risk inherent in BIP 32's unhardened derivation. As such, descriptor wallets disallow the export of child private keys in order to mitigate the risk of accidentally exposing the parent private key.
But you shouldn't be exporting individual private keys anyways. The wallet does not use just one private key, so having an individual child private key is really not that useful.
Will signing transactions with bitcoin-cli work the same way as with a legacy wallet?
Yes. There is no change in the methods for getting new addresses, or with making transactions. These are kept entirely the same.
I find it all confusing compared to how it used to be.
It's only confusing because both types of wallets can be used right now.
How long will legacy wallets be supported?
They are planned to be dropped entirely in 27.0, which will be released in ~7 months. However there is and will continue to be a tool in Bitcoin Core that allows you to convert a legacy wallet into a descriptor wallet.
What disadvantages do I have when I use a legacy wallet as cold wallet?
It's rather difficult to create a watchonly wallet from a legacy wallet. You want your private keys in cold storage, but you still need to have an online wallet that contains the public things in your wallet so that you can learn about new transactions as well as create unsigned transactions that will be signed on your cold wallet. With a legacy wallet, this is rather difficult to do. Descriptor wallets make this very easy to do.
Since legacy wallets will soon become unsupported, you'll be unable to make use of any new features that may become available on Bitcoin. Notably, legacy wallets already cannot create Taproot addresses, so they are completely unable to use Taproot at all. Descriptor wallets support Taproot out of the box already, and will be able to support any future address types as long as a descriptor is designed for them.
I really only want to use bitcoin-cli (in combination with "bitcoind -noconnect") and the usual Linux tools on my cold wallet machine (Raspberry Pi 2 ). Everything on the terminal. So should I better switch to a hd wallet or can I stay with legacy?
I suggest that you switch to a descriptor wallet. It will make setup of the watchonly wallet much easier (export the public descriptors and import them on the watchonly). They will also continue to be supported and actually get new features.