Spending from paper wallets:
Problematic action: Import a paper wallet private key into a wallet app, then spend directly from the paper wallet address.
Mistake: Expect the paper wallet automatically holds changes, similar to a real-life wallet, which may not be the case.
Reason: Early wallet apps (and possibly some new ones?) didn't handle the changes correctly. The changes became the transaction fees of the miners.
Explanation: It's a misunderstanding of how Bitcoin works. There is no account balance of any kind in Bitcoin. There is only Unspent Transaction Output (UTXO). The receiving addresses of changes must be specified when BTC is spent. Otherwise, the changes will become the transaction fees.
Mistake: Think nothing is wrong if changes are handled correctly.
Reason: It's address reuse, which is not recommended in Bitcoin because: 1) it reduces anonymity of both the sender and all the consecutive receivers; 2) it reduces the security by exposing the public key, which is vulnerable to quantum computers. Addresses are hashes of public keys, which are safe.
Mistake: Destroy the paper wallet after it's imported into an HD wallet, thinking that it has become a part of the HD wallet and it's safe because the master seed of the HD has been backed up.
Reason: It is not a part of the HD wallet. If the paper wallet (the paper) is destroyed and the app is uninstalled, the BTC is gone even if there HD wallet is recovered from its master seed.
The right way:
Spend (transact) all BTC in a paper wallet to an address of your wallet app. Destroy the paper wallet. Spend BTC from there. After all the spending is finished, create a new paper wallet and transact all the remaining BTC to it. Store the new paper wallet.
Creating paper wallets:
Problematic action: Use a wireless printer.
Reason: It's insecure because wireless networks are insecure.
Solution: Use a wired printer.
Problematic action: Use a printer with a hard drive.
Reason: It is insecure because the private key of the paper wallet printed may be stored in the hard drive, therefore may be recovered if the printer is sold or scrapped.
Solution: Smash the hard drive.
Problematic action: Leave the printer open for other people to access.
Reason: It's insecure because the private key printed may still be in the memory of the printer.
Solution: Turn the printer off.
Problematic action: Use a shared printer (at work or school, for example).
Reason: It's insecure because 1) the printer may have a glitch and someone else may get your printouts; 2) the printing jobs may be centrally logged.
Solution: Don't. Use your own printer.
Problematic action: Use a printer to print the private key or the QR code of the private key.
Reason: Same as above.
Solution: Handwrite the private key. Handdraw the QR code of the private key. Double check, then check it again, then get someone you trust to check it again.
Please supplement if there are unlisted pitfalls.