A malicious package doesn’t need dom0 to end the game. Updates could affect a template VM just as easily as dom0 (maybe even more easily, considering the number of packages that get installed). If a template VM installs an infected package, then all app VMs based on that template will inherit the infection. At that point, an attacker might not even care about dom0.
2 Likes