that only works if the wallet is not created by scammers for the purpose of scamming users. if the owners of the wallet creates it to scam people, then your keeping of your private key offline will not in any way save you from their attack. you saving your coin in such wallet is just like you handing over your coin to them hackers because they can decide to move it whenever they want to. plays tore for instance has become too weak regarding the way they go about allowing apps that are not legit to exist on their end. even when you check for the authenticity of those apps via the reviews on plays tore, you later find out that the reviews are paid for and does not truly reflect the real user experience of the app. it just brings us back to a place where we have to rely on popular exchanges and maybe ask on the forum on the authenticity pf the exchange or wallet we are to use based on real user experience.