You are looking it wrong, when the computer is on the attack surface of hardware or software encryption is the same, if the OS is compromised or any other major part like your CPU the hacker has everything.
When the computer is off the software has zero attack surface so your only attack surface is a cold boot attack against the computer in which case it doesn't really matter if it's HW or SW encryption as long as the keys are in the TPM or an offline attack.
With an offline attack the attack surface of a HW encryption that might also store a copy of the key encrypted or not is now greater.
Also the attack surface alone is only a small part of the risk metric, how easy it is to fix it is just if not more important than how likely it is to have a vulnerability and a firmware not to mention controller level flaws in the cheapest SoC with AES encryption the SSD vendor could find is a much much harder thing to fix than a software solution.
If someone would compromise your OS then your data is compromised anyhow, for what FDE supposed to protect against that is unauthorized access when the device is out of your control and off then the software stack does not pose a greater attack surface.
Literally the only case in which the "software" solution might be more vulnerable is when your device is suspended with the key in memory which means that you can attempt memory extraction through physical means (e.g. freezing it and transferring it to a reader before the charge fades), in which case there is no guarantee that the HDD solution would be any better, nor is there any guarantee that you don't hold the copy of the key in memory regardless of what mode is used.
If the device is simply locked then the HDD is in an unlocked mode anyhow if they can unlock your OS through some sort of an exploit then HW or SW they still get your data.
When the computer is off the software has zero attack surface so your only attack surface is a cold boot attack against the computer in which case it doesn't really matter if it's HW or SW encryption as long as the keys are in the TPM or an offline attack.
With an offline attack the attack surface of a HW encryption that might also store a copy of the key encrypted or not is now greater.
Also the attack surface alone is only a small part of the risk metric, how easy it is to fix it is just if not more important than how likely it is to have a vulnerability and a firmware not to mention controller level flaws in the cheapest SoC with AES encryption the SSD vendor could find is a much much harder thing to fix than a software solution.
If someone would compromise your OS then your data is compromised anyhow, for what FDE supposed to protect against that is unauthorized access when the device is out of your control and off then the software stack does not pose a greater attack surface.
Literally the only case in which the "software" solution might be more vulnerable is when your device is suspended with the key in memory which means that you can attempt memory extraction through physical means (e.g. freezing it and transferring it to a reader before the charge fades), in which case there is no guarantee that the HDD solution would be any better, nor is there any guarantee that you don't hold the copy of the key in memory regardless of what mode is used.
If the device is simply locked then the HDD is in an unlocked mode anyhow if they can unlock your OS through some sort of an exploit then HW or SW they still get your data.