Excluding unknown sophisticated exploits, malware would only remain in the AppVM (in this context “TemplateBasedVM”) if it infects the persistent directories, such as
/rw (or any you have set to be persistent with
bind-dirs). The rest of the operating system is read-only from within the AppVM and loaded into RAM along with it. Only by infecting the TemplateVM on which it is based can any malware persist outside of the AppVM’s persistent directories.
So, if an AppVM is infected, the worst-case scenario (the “burn-it-to-the-ground” option) would be to delete the qube and sacrifice all its user data, then recreate a fresh one based on the same clean TemplateVM. Similarly, an infected TemplateVM can be removed and reinstalled, though greater risk is involved with TemplateVMs because many AppVMs may be based on it and any (or all) of them may become infected via the TemplateVM through a sufficiently sophisticated attack. Routine infections, such as adware on a TemplateVM you misused and browsed the Internet with (don’t do this), will almost certainly remain contained within the TemplateVM and recreating it should suffice to confidently remove any trace of the infection without having to recreate all its dependent AppVMs. Doing so will sacrifice all customization done to the TemplateVM, though, such as modified configuration files or installed applications.
I am new to Qubes OS myself, so there may be errors in the above that someone more familiar with the subject can correct. This thread and @deeplow’s reply to it may help you better understand these things.
A major exception to all this is with StandaloneVMs, which are basically cloned copies of a TemplateVM that are then run as fully virtualized and self-contained qubes.