Hi, it would be interesting to have a “production” and “reference” dom0.
So if something “got hacked” or just failed utterly one can go to the reference side which is read-only in order to make the system running again or to be sure that nobody was able to install a backdoor for stealing credentials and secrets.
So a reference dom0 should be built by Qubes developers and signed, so called “factory settings” while a user should be able to produce user-reference dom0 systems which she holds trustworthy as she did not see signs of intrusion here.
Instead of installing some tools like “trip wire” that work after the fact, it is wiser to have means in order to prevent the fact!
So if something seems to be fishy, just go with the user-reference (signed by user), or the developers-reference (signed by developers) to copy it over to the production side while having successfully archived the old fishy active dom0 for later guru meditation on intrusion using all fancy intrusion detection tools.