Here’s your answer:
The qubes update proxy ensures that no software actually gets direct access to the internet, that it never interacts with any network hardware directly, and that anything going into the template is not parsed inside the template, providing mitigation against exploits.
Not only that, as far as the template is concerned, all the network packets came from itself, which keeps them as “vanilla” as possible.
If you want to create a self-signed certificate to localhost, sure, but it won’t actually do anything meaningful…
No. But you can configure all of that using the Qubes Global Config.