Hi @Hack3rcon, welcome.
The main principle at work in Qubes OS is compartimentalization, that is: keeping separate activities that use data that has different levels of value to you, or involve different levels of risk.
How you define your compartments is up to you and depends entirely on your threat model (what you want to protect, from whom, and how much inconvenience you’re willing to tolerate to achieve that goal).
For the purpose of keeping your compartments separate, Qubes OS offers tools that allow to create virtual machines (VMs) that are isolated from each other to the extent that Xen is performing its duty to do that. Additionally, as an additional measure against undesired modifications (e.g. by malware), parts of those virtual machines can be regenerated when they are rebooted: from the system files in a template-based VMs, to most of the file system in disposable VMs. Qubes OS also provides ways to move data between those VMs, so that you can for example, keep some data completely offline if that makes sense.
A good place to start learning more about Qubes OS is the official documentation. While it is quite large and can certainly look impressive, it is pretty good, and I’d recommend starting from the intro.
Now to your example:
You could, yes, and you would have a few different options to do so, depending on what you’re trying to achieve.
- If malware is your primary concern, you could create a template-based VM that you reboot after visiting sites you consider risky, so that any modification to, say,
/usr/bin is reverted.
- You could also create a disposable VM that will be entirely discarded when you shut it down, so that the next browsing session uses a fresh VM.
Note that those examples focus on security, but not necessarily privacy. (e.g. the web browsers in those VMs may still have unique fingerprints)
- If privacy is your concern, you could use a template-based, or disposable VM based on Whonix for example.
But saying: “I will treat browsing as a separate activity” is not your only option. Taking a textbook example, you could also say: “I will treat work stuff and banking stuff as separate activities”. Each of them might involve browsing different sites, and you could create separate VMs for that purpose, so that malware installed from a website you visited for work is kept isolated from your personal banking data. Each of those compartments would be called a domain in Qubes OS parlance.
You might use multiple VMs in each domain too. For example, within your banking domain, you might want to keep your accounting spreadsheets in a VM that never has any network access, while using another VM to access your bank’s website. As you might guess, complexity can increase quickly, even though Qubes OS tooling is all about making that complexity more manageable.
Starting by thinking about your own threat model (what you want to protect, from whom, and what are the consequences if you fail) is a good way to define how much complexity is useful to achieving your goals, and how much is only making your life harder by making your activities more error-prone. Complexity is generally detrimental to security, so it’s all about finding the balance that works for you and that’s highly personal.