Bought a cold wallet (Trezor T) as my hot wallet for 3 years got drained recently (ALL CHAINS) - the experience is kinda traumatizing tbh.

I was airdrop farming and doing some free stuff to increase my dry powder for this cycle; I've been very careful but I realized that you can never be perfectly careful. I'm not sure up until now on how I got hacked but my boss said that the hacker must have gotten my seed phrase as the hack from signing a malicious contract will only be limited to that chain, and my assets from all chain got drained. But here's the thing - I never did type my seed phrase even once in the past year, so I wonder what has gotten me.

So now, I just wanted to ask the degens out here what are your best practices when handling NFT and FT assets using Trezor. For now, I just know that - my Trezor should only "receive" NFTs - my Trezor should only "receive" FTs from my hot wallet (or burner wallet) Centralised exchanges (CEXs) - my Trezor should NOT sign any requests on chain - my Trezor should only deposit to trusted CEXs in case of liquidation need.

Any else please? TIA.

Bonus question: How do I make sure my Trezor isn't compromised? (I bought from a reputable one but not legitimate reseller in the country)