For that reason you should in principle create a backup of your private key before writing it to the hardware wallet. And, optionally, have two identical wallets.
Happy user of Librem 15 here. I think that Librem 14 is a great choice with cool security features. See also: HCL - Librem 14 v1. Some people on this forum are skeptical though.
“vault” is an offline-VM. One can indeed store secrets there with very low chance of getting them leaked. See Data Leaks though.
You should always have your hard drive encrypted (which is the default in Qubes OS). If you laptops gets stolen while it’s on then you are in trouble though. Per-VM encryption and Hidden AppVMs are not implemented yet.
No necessarily dumb. I guess Qubes vault appvm without network is the closest option to offline computer.
Personally I don’t store any master keys, cold wallets and any of that stuff to Qubes. I’m practical with this. It’s a physical computer controlled and configured with software, so ultimately I don’t trust it. For the most valuable data, I have a separate physical computer without network.