I’m a beginner like you, from what I’ve gathered so far reading this forum, the system is already pretty hardened, and continues to be further hardened with every new update.
You go on to mention ‘netvm’ so I’m assuming network hardening is a key concern. I myself wanted to figure out how to detect compromise with Dom 0, and it seems implementation of IDS would be a good start. A robust solution for this concept doesn’t seem to exist. Yet.
This is what I’ve started to work on, or merely brainstorm, feel free to get involved: Attack Early Warning, Detection, Delay and Denial System (IDS) for the Eye of Sauron & Co
However I won’t be doing openbsd because I want to stay as stock as possible to what currently exists within qubes, rather then learning and managing a whole other architecture and command structure.