sys-usb has the “provides network” check enabled, because you can use it as a network VM if you plug USB network adapter.
I see.
Wouldn’t it be wiser (and “the qubes way”) to have a firewall qube between the client and sys-usb then, instead of relying on an in-qube (in-sys-usb through the DVM template) firewall rule? What I mean is - if we are concerned that sys-usb can leak, then why should we trust it to guard us from those same leaks through a firewall rule (based on its hostname) which is in its control only? Or am I missing something?