QubesOS – A reasonably secure operating system

I love Qubes a lot, I daily drove it for a few years and still have it on a laptop. but i would not recommend it even to most technical people, mainly because you forfeit the ability to run things on bare metal. "dom0" is the same as on normal xen - it is a VM and has the associated overhead still. On top of that, the official Qubes dom0 runs a very outdated fedora version.

I am instead writing my own code to automate libvirt to replicate much of Qubes' functionality (ephemeral roots for vms, disposable vm support, GUI isolation) so i can still have Qubes security for most of my apps but fully exercise my hardware when I want.

There are also some minor criticisms i have of Qubes' default, mainly that appvms have passwordless sudo by default and less importantly, no MAC such as apparmor. Passwordless sudo arguably makes it somewhat easier to break out of the VM and no in-vm sandboxing means you have to run every in a separate VM unless you want to set that up yourself.

For example i don't really want my work thunderbird to have access to my work browser, so a single "work" domain isn't enough for me.

The threat model assumes that any code in a VM can, with some application of effort, access anything else in that VM. Given the relatively low cost of local root exploits and kernel exploits, this is reasonable. Passwordless sudo is simply a reminder that you can't rely on intra-vm separation of anything you care about separating.

If you wanted to add additional hardening within a VM, it's supported - create your own templateVM for it, and use it. It's just not the default, and I generally agree with it. If you trust the OS kernel and features to keep things separated, there's no reason to run Qubes in the first place.