Updating is indeed the unfortunate aspect of this. Once you create a template, it’s independent of the one you cloned it from, and if the original needs an update, so does the clone.
Because, for some reason, I actually have to run a template to see that it needs updates, I actually clone my most basic template to “Update-Canary-00”. I set the memory to bare minimum on it and actually have it start up shortly after I log in. (This way I’m not running my actual base template, but I will know when it needs updating.) Similarly for other templates that occupy prominent positions in my inheritance tree (such as the base of all appvms that aren’t system appvms.
I can hear you screaming already because I end up with six qubes that run solely for the purposes of detecting a needed update. There’s no reason one cannot shut them down after half an hour (which should be enough for them to detect needed updates). Once running, after the initial check they will wait two days to check again (so sometimes I restart them). But I have 64 GB of ram so having a few qubes using 400MB each doesn’t bother me.
Anyhow, if I see that my base qube needs an update…I know I have to update them all. If the “base” qube with my browser needs an update, then all of my browser templates (about six of them) need updating.
As Sven points out, you don’t absolutely need to install one app per template, you can mix or match. You have maximum freedom there. I personally would, at a bare minimum, make sure no apps (like libreoffice, a browser, keepass, etc) are on my system qubes. (That calls for a system base template that’s barely more than the minimal template, and an app base template; System qubes would clone the system base and add whatever they need. The application base qube would have more stuff (such as, possibly, a file manager app and other stuff a user would find convenient), then you can either install all of the apps onto it, or clone it and install subsets of apps.
So one possible tree would be:
debian-12-minimal
system-base
networking (sys net and sys firewall are based on this)
app-base (add user conveniences to this)
vault-tmpl (keepass. Really no reason to install anything else here.)
browser-tmpl
work-tmpl (you'd probably want libreoffice or equivalent on this; base your work qube on this)
personal-tmpl (any apps you use personally on this)
Etc.
You can install whatever apps seem to make sense on your work and personal appvms on the corresponding -tmpl qubes. Here I’m assuming you’ll want a browser on both, but don’t want to have to actually install a browser twice and are willing to clone to avoid doing so. If you would rather install twice then just have work-tmpl and personal-tmpl at the same level as vault and don’t do browser-tmpl
I divide things up a lot more finely than this, and you are free to do that as well (though I suspect you would rather not). The beauty of it is the choice is yours.