If your attacker has access to arbitrary memory of a process, you're using an insecure OS/version. Or they dumped your process memory using a vulnerability (in your system)
Yes, there are some possible attacks (page file, cache, etc)
Attacking memory after a reboot requires physical access (unless you hibernated without an encrypted file, in this case...)
Sure but smartcards and HSMs are slow and in a properly managed environment are much safer than memory.
Whether or not the OP has an HSM is moot. The OP said, "I want to design and implement a solution as secure as it can be" ... and that means (among many other things) keys on HSM.
If your attacker has access to arbitrary memory of a process, you're using an insecure OS/version. Or they dumped your process memory using a vulnerability (in your system)
Yes, there are some possible attacks (page file, cache, etc)
Attacking memory after a reboot requires physical access (unless you hibernated without an encrypted file, in this case...)
It certainly beats the security of file/network