FWIW, Trezor has consistently got this right for every upgrade, updating the consensus branch id in advance. Since Sapling (maybe also Overwinter?), I’ve tested transactions to and from a Trezor in the upgrade coordination meeting just after activation, and it has always worked (sometimes needing a firmware update if I haven’t updated recently). There would no point in doing that testing with Ledger: it would always fail, due to their policy of waiting to release new software that supports the upgrade until after it has happened. I would not personally use Ledger for Zcash.
I’m expecting that Keystone will be an even better choice for a hardware wallet once it is ready, since it will support shielded spends. The Keystone developers are very on-the-ball. In fact they asked today how they could make sure to avoid this consensus branch ID issue (they were already doing the right thing).