There is a dom0 user prompt solution for sudo: Passwordless root access in qubes | Qubes OS which will ask user from dom0 when sudo is executed in a VM.
Is there a dom0 user prompt solution for TCP - a dedicated firewall VM, so that whenever a TCP SYN is sent behind the firewall, firewall VM will prompt user to allow or deny the connection?
The firewall can be more helpful by using the DNS traffic when available.
Therefore, each time a VM wants to connect to the internet via TCP, it will need user approval. User can see the protocol (tcp, udp), the peer address & port, the source address (vm name) & port, the deducted host name of peer (provided by firewall vm), and the hint from VM (untrusted string, including pid & process name that initiate the connection).