There should be a simple interface with hooks into sys-net that should be opened and presented to a user at first login. Until a user explicitly allows, sys-net should not emit any IPv6/IPv4 packets at all.
This mechanism should be an option in the installer.
On the other hand, the user can easily leave the Ethernet cable unplugged and/or not type in the WiFi credentials, and achieve the same goal without any changes to the install process!
It still require you to know you need to disable update checking for all qubes which is on by default.
Definitely. But this is a different topic and maybe the automatic updates should be disabled after install, until the user confirms that it is ok to update using the default config, or change the default config.