An important difference between minimal templates and dom0 is that minimal templates’s AppVMs are expected to have contact to user data, which greatly increases the risk that some package’s binaries will be executed, either intentionally or inadvertently.
As you know, dom0 can contact every data and can execute every binary in every VM. Also, a malicious package can contain no binary, e.g. it can simply replace config files with others, which would affect the way non-malicious system processes work, thus creating a mess. Things can be even more nuanced. An attack doesn’t necessarily mean data exfiltration.
If a user follows the recommendation of not using dom0 for anything but configuration, e.g. no viewing your screenshots there - send them to a dvm
The software generating the screenshots is installed as trusted in dom0. The input data (the workspace) is fully accessible to dom0 (it generates it). Therefore, the output image file has the quality of ultimate trust. So - trusted data, trusted software in the only fully trusted VM. If such data can “activate” malware, then any other data existing in dom0 can do that. Why should one send ultimately trusted data to a disposable VM - a technique aimed for untrusted data? If that is not a security theater, I don’t know what is.
no using it as a vault for your secrets - use the vault qube
Secrets are also ultimately trusted data. The purpose of having a vault domU for them is not to protect the secrets from activating malware in dom0, but to protect the secrets from less trusted domUs.
then the risk of a potentially malicious package in dom0 being “activated” through some user data being processed, is much lower than in the AppVMs based on minimal templates, because the latter do have regular contact with often at least somewhat untrusted user data. Given this important difference, no I don’t think the latter are “security theater”.
The whole idea that malware can safely exist in a passive state in dom0 and that the whole security of dom0 depends on the user being extra careful not to activate something somehow, while updates can install any new executables, including ones not explicitly requested by the user, is exactly what you don’t think it is and against all the recommendations related to that.