Agree, but I have already 20+ AppVM in my list and I prefer to have all my secrets in my secrets AppVM. This is a good compromise imo, therefore it is my best practice. As usual everyone has her/his personal view on this - his/her best Qubes setup.
In Qubes OS words: It is a reasonably secure solution 