For context, I’m on an outdated-outdated version and must upgrade Qubes. For transparency, my daily Qubes drivers are a Debian 11 standalone that does 99% of the work and the Personal qube for email. I’m ready to become more Qube-dantic.
Install Qubes
Option 1
Copy the Work Qube then install my PDF reader software and move the PDFs to there.
Copy the Work Qube then install VScode, git, etc.
Copy the Work Qube then install Anki Flash Cards (definitely this method)
Option 2
Copy the Work Qube and then install of the software there and then copy a the Qubes and move the desired software to that Qube.
I like Option 1 because newly discovered crappy software is isolated and not in the “main” Qube.
From what I’ve understood from your post, that “99% of the work” standalone seemingly needs a lot of apps that aren’t included by default, it’s not the best in terms of security and I would advise you to divide your “work” standalone into other dedicated standalones (or better yet create Template-AppVM pairs to clean the root filesystem every time your AppVM is started in order to protect yourself from modifications to the root filesystem).
I believe option 1 is more secure, but you’d be better off just downloading the newest Debian template (debian-13 at the time of writing this) through the Qubes Template Manager (or by running qvm-template install debian-13 in dom0), and then create different standalones by cloning them from that fresh debian-13 template.
You could also upgrade in-place your current “Work” standalone without doing anything else, but I’d rather begin from a clean slate :
Should also isolate browsing. The web is made mostly of attack surface. You can use different appvms almost like bookmarks for frequent sites that you have to log into and dispvms for everything else.