Is there any reason not to generate paper wallets by:
a) setting up zcash under your preferred security precautions
b) generating a new t-address
c) executing 'zcash-cli dumpprivkey YourZcashPublicAddress'
d) printing or writing down the result (and checking it twice)
e) nuking the wallet file / VM / rebooting the liveCD / blowtorching the laptop?
...then later re-activating the address with 'zcash-cli importprivkey PrivateKey "" false' ?