I have a qube called “library” where i store… basically everything. Videos, documents, potentially untrusted stuff as well of course.
I also have a vault qube for only my passwords.
The reason being, that:
- I have some software installed in my normal library to make my life a bit easier. Some fonts, custom command prompts, some system utilities, …This is attack surface
- Should i somehow open a malicious file, i really don’t want to do that anywhere near my passwords.
The latter can be omitted by not having vlc, libreoffice or other high risk parsers on the library, however for limiting the number of templates i need to handle, i think i have those installed. I try to open everything in disps, but i may fuck up.
So this is my reasoning for having a special vault vm. Also it makes backups a bit more easy imo.
For browsing i use whonix-ws-disps. Sometimes i need to do stuff in clearnet, for this i use clearnet-disps. However i do have a netflix qube that i only use for netflix for the convenience of not needing to log in.
If by separate you mean really separated, or separated due to missing persistence as with disps, yes, not having to have cookies from other stuff i did. That is why i use disps 99% of the time.
I personally would not trust the browser to do this 100% perfect, so i just reside to the most safest approach of using a vanilla, never used browser from disp vms.
I have those too. Not necessary, but makes things a bit more tidy if i know that anything related to projectA is in this qube and only there.
Another thing that you did not mention, are other “app related” qubes. I have those for some docker stuff, like drawio and such like, or high risk applications like messenger- and communication qubes.
In the end everybody has to figure out how much compartmentalization one needs or wants. Everything is possible between using one singular qube, and having thousands. Somewhere in between usually is the sweet spot, but that depends on use case. I for example have some use case related qubes for high CPU or RAM usage tasks, some bound to specific projects and other with specific services that other people probably don’t need.