Creating a TemplateVM for each application you want to use is one way to go. That way is not wrong.
Another possibility is to install the applications you want in a single TemplateVM and create an AppVM for each of those applications. That might be an acceptable approach depending on your threat model.
There are few things I’d take into account:
- Applications are installed in the TemplateVM but never executed in the TemplateVM. Most bugs and security issues happen when the code is executed (that is why TemplateVM exist in the first place.) Having two applications installed in the same template but never executed in the same AppVM might be sufficient in some scenarios.
- Installing a package from the official Debian or Fedora repositories carries a different risk than installing a package that was downloaded from a website, e.g. GitHub because Debian and Fedora build the packages they provide and ensure they can be verified automatically when installing them. That is something that may change how comfortable you are with Application A and B being installed in the same
template. - If you only use Application A in a given AppVM, and Application B in a different AppVM, then Application A won’t have access to the data you create/use with Application B, even though both AppVMs may be created from the same template, and both applications are available in both AppVMs. It may be worth considering what you’re trying to compartimentalize and hide from Application A: the data you work with when using Application B, or the fact that sometimes you use Application B (metadata)?
All that depends on your theat model and personal compartimentalization goals. And of course, you can mix and match! Maybe application A, B and C can be installed in the same template, used in distinct AppVMs, but application D is better isolated in it’s own TemplateVM–AppVM pair.