From what I understand, downloading repository metadata should be forced through the VPN because “It is the qubes that perform update checks and then notify dom0
accordingly.” (https://www.mail-archive.com/qubes-users@googlegroups.com/msg27567.html)
Default services - clock, update, (both for templates and dom0).
You need to actively intervene to have default ClockVM behind Tor/VPN
Likewise for dom0 update checks.
Template update checks are indeed performed by qubes
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
There is also “Default update proxy” used for TemplateVM updates that you need to set.
You need to set the “Disable checking for updates for all existing qubes” and in “Except the following qubes, for which checking for updates will be enabled” you can set the qubes that will be used to check the updates.