Yes, works and it is the perfect match with KeePassXC 
Maybe this is interesting for you.
Maybe this is interesting for you.
Yes (nothing is 100% but you are very secure)
When you are done with the docs you will see that you (have to) fully trust dom0. That also means that your (default; no networking) vault AppVM is almost as trustful as dom0 itself. I mean, you could theoretically store your secrets in plain text since only you / dom0 should have access to it. “…if your app qubes are network disconnected, even though their filesystems might get compromised due to the corresponding template compromise, it still would be difficult for the attacker to actually leak out the data stolen in an app qube. Not impossible (due to existence of covert channels between VMs on x86 architecture), but difficult and slow.”
For your secrets I would suggest you to set a long LUKS disk password, use the default vault AppVM (networking OFF), KeePassXC with a strong password and Yubikey Challenger Response. Additionally, you can set OTP within KeePassXC, in a extra AppVM, to you your Yubikey or on an OTP app you trust (i.e. installed on GrapheneOS)