I think that an extra layer of security doesn’t make much sense in this case. If someone can see the cold storage wallet, that means that they have the
manage_wallets capability, and thus they can already steal your funds. An extra pin will not stop them.
Any cold storage that you setup will be unknown to the installed plugin. Why do you think that this is not possible at the moment? A cold storage is simply another wallet, which could be a hardware wallet, software wallet, or even paper wallet. The only requirement is that you are able to transfer funds between the hot wallet and cold wallet. Otherwise these are not connected in any way.
Please let me know if I did not understand what you’re suggesting.