QubesOS is used by high valued targets such as whistleblowers. It seems to be a juicy target for agencies with resources much higher than the Qubes project.
It seems reasonable that QubesOS will be target of hacks or supply chain attacks, potentially in dom0.
I have read quite a bit about QubesOS in the past few days on internet with interest, together with a good part of its documentation. Most of the Google searches link to this forum, but you are right, I should have searched the forum directly as well.
I see QubesOS has reproducible builds. The documentation also indicates that there are serious security mechanisms in place.