I strongly suggest that we
- take defence in depth seriously, there is no need to make attacker’s job more simple, hardening VMs as much as possible while keeping stuff usability-friendly (and write down best practices for everything possible, like, “how to use Dropbox properly with Qubes”, and the answer would be something other than “don’t use Dropbox”)
- start thinking on heuristics that would help us to keep track of template-based VMs abnormal behaviour, possible backdoors/persistence mechanisms, xen instrumentation for VM introspection, host IDS, integrity checks, health checks (osquery, log processing, “one machine SIEM”, whatever, everything that “grown up” security solutions have for decades
- easier “self-forensics” and tools to perform cryptographic integrity verification and collect artifacts when we are in doubt