This is true. Note that Qubes OS is a reasonably secure OS, not maximally secure OS. New users without much experience will not be able to enjoy and stick with Qubes OS if they are constantly blocked from using the system due to the USB keyboard. (Same with the root password IMHO.)
Do you have a better suggestion how it should be done? By the way, this is the reason why it’s recommended to run Qubes on devices without a USB keyboard.