After a bit more investigation:
A shared folder mechanism or mount folder to an external storage VM might actually do more harm than good, security-wise. It is also not supported officially yet.
Hence I did the following, which is (imo) a good compromise between persistent app qube and disposabe: delete home folder before shutdown in app qube, whitelisting app-specific folders.
Example script:
#!/bin/sh
# delete all (incl. hidden) files in home, but keep following exceptions:
# ~/.config/app
# ~/app
# ~/.local/share/applications
# ~/.config/systemd/user
BASE=/home/user
find $BASE -type d \
\( -path $BASE/.config/app -o -path $BASE/app -o -path $BASE/.local/share/applications -o -path $BASE/.config/systemd/user \) \
-prune -false \
-o \( -type l -o -type f -o -type p -o -type l -o -type s \) \
-exec rm -rf -- {} +
# delete all empty folders
find $BASE -empty -type d -delete
systemd shutdown service:
# /home/user/.config/systemd/user/cleanup.service
[Unit]
Description=Cleanup home after shutdown
[Service]
Type=oneshot
RemainAfterExit=true
StandardOutput=journal
ExecStop=/home/user/app/cleanup.sh
[Install]
WantedBy=default.target
Now create ~/evil.sh and reference it in .bashrc. Both will be cleaned up, when the qube shuts down.