First, let me say that an online wallet that holds private key, or a “hot” wallet, is mandatory to perform bitcoin transactions. If the role of Lightning Network is to dramatically increase the number of bitcoins transactions, that inherently infers a larger use of “hot” wallets, and therefore, a larger risk.
LN wallet private key: used for performing a channel funding transaction when a new channel is created.
Channel private key: a different private key for each channel connected to a user node. This key is used when sending money to a user.
The use of a channel private key is limited to Lightning Network and to the context of a specific channel. Meaning, it can’t be used to perform on-chain transactions. Even if someone steals this private key, the only possible exploit is to send money to the user at the end of the channel. There's no much value there considering the relatively low limit of the LN channel.
A simple watchtower solution that monitors relevant on-chain transactions would easily detect such transactions that were not initiated by the hub.