I think it depends. Having a device store keys could be a hole for some people. I don't think the potential holes matter so much if the device doesn't store keys or touch the web, assuming one doesn't want the device to store keys. But I do agree that it's obviously better to have the smallest possible attack surface even if you do want a RPi type signer. Most things can be better.