Prevent boot tampering

Lets say my computer is consistently unattended, and many people are able to tamper with my device to compromise it while I am not attending it, how can this be mitigated with Qubes?
I am using dasharo Z690 with intel management engine off, so AEM is out of the picture.
I am currently using Fedora with Secure Boot and this gives me the peace of mind that my device is safe from being maliciously tampered with. (at least I think so) However, I want to switch over to Qubes and still have this peace of mind.
If anyone has any input or advice I would appreciate it.

It’s not a standard option, but you can configure the system with /boot detached, and move /boot to a USB device you can carry on your person when you are not using the system.


Thank you for showing me this, this is awesome and it seems like a perfect solution.
I found this guide and it looks promising.
I’m wondering would I benefit by buying a specific USB? Maybe something with faster read/write speeds?

It might make sense to buy one with a write-protect switch so that a potentially malicious BIOS (after putative tampering) can’t modify your /boot files…you can also search for “Heads” (including on this forum), but that’s a more involved solution (also probably better, however).