I might have just what you need (Reduce Kernel Information Leaks):
\ security-misc: Enhance Miscellaneous Security Settings
Basically, use Kicksecure for sensitive templates and enable hide-hardware-info.service.
I’ve been using it for quite some time now for all my templates (morphed a debian-11-minimal with kicksecure-qubes-cli). It’s been working great, no issues so far (except for two very specific use-cases). Only thing, I had to bump the memory of sys qubes up ~200 Mb, and vm boot time is a few seconds slower.
Alternatively, you may try installing the security-misc package directly (you will need the kicksecure repo) and try enabling the service without fully morphing a debian template.