Rev 10/7/18 (see Revision Notes)
Another application for Apt-offline is to make changes to what I call "secure" full installations of Ubuntu and its derivatives on such things as USB 3.0 flash drives and SD cards (8GB minimum typically), running on "secure" PC's, in cases where the changes couldn't be made with the new "containerized" software systems (Snappy and Flatpak). When creating such installations, the encryption-option would be selected, so that the retained data would be secure, supposedly, although it should be backed up on separate encrypted flash drives. I can't guarantee that such installations are secure, although they can be hidden just about anywhere when not in use. Persistent live installations are another option, although they would retain data in an unsecure form, and there aren't many USB-installers which can make such installations, perhaps indicating what the experts think of such installations. I gather that there are also security risks in using such installations for accessing the internet, partly because they aren't password-protected.
By "secure" PC's, I mean PC's which have no internal storage which might be surreptitiously used for storing data to be sent to the Thought Police when an internet connection is available (or retrieved by sneaking into your abode), and which are electromagnetically isolated from the internet, meaning no wired connections or wireless circuitry, including in peripherals such as keyboards, monitors, printers, etc., because wireless circuitry might be surreptitiously enabled, such as in burst-mode, to send a dispatch to the Thought Police. This approach (which requires an extra PC for use as the "secure" PC) might seem less convenient and more expensive, but when you consider all the factors, it's actually more convenient and less expensive than trying to secure a single internet-connected PC, which you can never be certain is secure. Mini-PC's with AMD APU's could be used for the optimal combination of price, power-consumption, and performance (units with 7 nM lithography, and even lower power-consumption, will supposedly hit the market in 2019). AMD processors are less likely to have built-in wireless circuitry, and in some mini-PC's, the wireless circuitry is placed on a separate module which can be removed without much difficulty (tip: to disconnect the tiny RF connectors, pull straight up on them with a pair of long-nosed pliers).
"Secure" installations running on "secure" PC's could be used for composing and encrypting secure messages, and decrypting and reading them, so that the messages never exist in unencrypted ("plaintext") form on an internet-connected PC, where you should assume they will find their way to the internet. When using such high levels of security, the weak link is the recipient (who would also have to use a dual-PC system for security), and you should just assume that they're going to betray your confidence eventually unless there would be a significant penalty, and keep this in mind when deciding what information to provide to them, and when. It might be a good idea to test them with bogus "secrets" before sending any actual secrets. Don't use digital signatures unless necessary, because you can't deny sending something that has your signature on it unless your private key has been compromised.
To share peripherals such as keyboards and monitors between "secure" and internet-connected PC's, a KVM switch would be used. This requires the video standards of the PC's to conform to the standard used by the KM switch, or to be adapted to it. In some cases, when booting multiple PC's connected to a KM switch, each PC must be fully booted before switching to another PC and booting it.
Notes
Revisions
10/7/18 - Revised the entire article after some experience with using a full installation on a USB 3.0 flash drive, and hopefully clarified it.