I learned a lot of new tricks from this post–thank you for taking the time to make it.
Minor nitpicks: The wording for the first line makes it sound like you’ll need to install qubes-usb-proxy on every vm you intend to mount USB on–this is not the case. This is most likely not what you intended, but I just wanted to clarify something that might confuse a complete newbie.
I’ve never had to install exfat-fuse or ntfs-3g in my sys-usb since drives are never mounted there–those packages are installed in the app-vms. Since my drives work fine, it’s likely this is unnecessary (but of minimal impact in terms of security). I haven’t tried mounting encrypting drives but I suspect it’s the same.
sys-net and sys-usb
Maybe I’m confusing this with disposable sys-vms, but for PCI HVMs I switch off meminfo writer (qvm-services [qube] meminfo-writer off) and add iommu=soft swiotlb=8192 to kernelopts (on top of what’s already there).
Also, I think I’ve found a bug with security ramifications while checking settings for this–I recently switched to the 5.10 kernel for my default VM kernel. When I checked my kernelopts just then, all of my kernelopts in all of my VMs (except Whonix) have been cleared. This means that apparmor was shut off for a while without me knowing it.