Hardware wallets are usually signing devices and commonly don't work totally on their own. There's commonly a watch-only online software part which "talks" to the hardware wallet (hands over a transaction to be signed; takes the signed transaction from the hardware wallet to broadcast it). There should be no code in both parts to allow access to private keys at the barrier of the online computer/device and the hardware wallet.

When the firmware of the hardware wallet is open-source and preferably allows reproducible builds, you can check that there's usually no network stack, code or hardware components (smart chips) that can talk to the internet. Therefore I consider such signing devices as offline and basically cold storage,  YMMV, limited to devices that have no Bluetooth stack (often too complex and rarely bug-free) and where the private keys or similar main secrets of the wallet are not reachable from the connected computer/device (the latter e.g. doesn't really apply anymore to modern Ledger crap that allows their infamous Recovery service subscription).

Non air-gapped signing devices use mostly USB as hardware connection layer. The firmware of the signing device has to limit clearly what data can travel and what else is allowed to happen via  such a USB connection.

The internet can't talk directly to the signing device and vice-versa.

Malware on an online computer with the watch-only wallet can manipulate and compromise the software wallet part. A compromised software wallet can submit manipulated transactions to be signed by the signing device. That's why the signing device needs an independent own display where the user can easily check ALL transaction details before they allow the transaction to be signed. That's also why everybody has always to verify ALL transaction details, no exception whatsoever, unless they want to be reckless.