In terms of securing your usage of Keepass2 or KeepassXC, I would recommend the most important step is creating a separate TemplateVM and only using your keepass app of choice from AppVMs derived from that TemplateVM.
By isolating your keepass app’s TemplateVM from your other TemplateVMs you run less risk of accidentally exposing your keepass database file to risk.
As others mentioned, AppVMs you run any keepass-related application in do not need a network connection so remove that, and clipboard is sufficient for moving secrets out to other qubes for most usage.
I would also add that there is an important concern for any use of encrypted secrets that you should make sure your encrypted secrets can be used by you 10 or 20 years from now. In the case of a keepass database file, you can achieve that by making note of what keepass application did you use to create the database file, what version string was it, and then also use Qube’s backup feature and include the TemplateVM with that keepass application in a backup, not necessarily your regular backup, that you can later access if you need to.
Keepass itself is actually an open standard if I understand correctly, so the database files have fairly good interoperability between applications. However, you will find that different applications have introduced extensions and nonstandard behavior that is not interoperable, so it would be beneficial to make note of what application you actually used and make sure you can always have access to it as well.
These applications are also open source as well, so it is unlikely that they would vanish off the face of the earth, but backing up your TemplateVM is a good idea if you want to explore the model of what could go wrong with mismanagement of your secrets.
Honestly I don’t bother with key files and cannot comment on what would be good practice for dealing with those though. I would suggest you understand that even with disposable VMs, traces of your key file may remain from a forensics stand point, so I sincerely doubt the security of key files on general principle even if in practice they are unlikely to be compromised by such traces. I would only ever use a key file for something I didn’t care about and which I considered adequately secured through “obscurity” rather than actual secrecy, but I am not an expert and could be very wrong.
I had mentioned backups before, but it is also worth mentioning that there can be a risk of corrupting your keepass database file! You need to consider backup strategies very very carefully for a keepass database because a naive approach will lead to over confidence and a lack of awareness of how much actual risk you have!
Keeping Qubes backups of the qube containing your database file can give you something to revert back to, but if you have an old copy of a keepass database file, then the process of data recovery from it is manual and you won’t necessarily know off hand which entries have stale password information and which ones have current information!
Furthermore, in the event of an actual database file corruption, the exact nature of the damage to the file matters as the file can possibly be recovered without having to risk data loss by rolling back to an outdated backup.
An example that happened to me was that, while using Keepass2, Keepass2 had a fault of some sort and subsequently refused to open the database file, which was a problem because any rollback to an outdated backup would not bring back what I was losing.
However, KeepassXC was able and willing to open the database file, and, though I forget the particulars, after saving the file with KeepassXC, keepass2 was again able to open the database file and no data was lost as far as I could tell.
With that said, from the perspective of keeping regular Qubes backups small, I would recommend against using a StandaloneVM. An AppVM’s private image is a much smaller backup, and having the ability to backup the TemplateVM and the AppVM separately is good flexibility that StandaloneVMs cannot provide. Additionally, TemplateVMs will save you space should you ever wish to keep more than one AppVM with a keepass database file in it, so by default I will always choose to use TemplateVMs in Qubes OS.