All Cold-storage setup tutorials tell you to create the wallet in the air-gap device, so in the process, the seed phrase and passphrase are kept "cold" as well.
That makes it "Cold", unless you "accidentally" store it on an online machine.

If you're going for Tails setup, its "Persistent Storage" where you should put the cold-storage wallet's data directory
can be encrypted with a password of your choice, every other files will automatically be forgotten in every session.
With that, set a strong persistent storage encryption password (different from your wallet's password and seed phrase's passphrase)
So even if the flash drive is stolen, the thief wont be able to access its contents.