So If I’m understanding this correctly, the idea is to use each separate computing device as a single VM host and chain them together into a system, potentially allowing every RPi to host one or more fragments of the system in a physical package.
For example, I’ve often wondered whether sys-net is the most vulnerable given its an HVM that handles PCI devices and is connected to the internet without any filtration (internally). The biggest threat is sys-net being used as a bridgehead to punch through Xen, which leads to GameOver™. Moving sys-net onto a physically separated RPi adds another layer of insulation, but is not a magic bullet as that RPi will have to connect to the Qubes PC via NIC or USB, which entails a receiving HVM PCI qube, so an attacker with the ability to compromise the RPi can simply just repeat that step.
Maybe sticking a firewall (another RPi or smaller device running Mirage would be ideal IMO) between the sys-net RPi and the Qubes OS machine would provide enough insulation, but then again I’m not really knowledgeable about technical matters and am just thinking out loud.