Unikernels are cool and I like them :]
IMO weakest aspect of Qubes is that despite all efforts of the developers compartmentalizing things has notable friction. Check out stuff like Quick Quality-of-Life Improvements , write your own scripts, figure out you own security policy and find a way to reliably enforce it (e.g. never move things from less trusted to more trusted domains, never open files in vaults, etc. - what is allowed to do and how and in what situations and why)
Customized qrexec policies, passwordful root and MAC could be useful for further hardening but only in some circumstances.
I bet I’m forgetting some stuff at this point but you will get the hang of it over time.
p.s. Here are some related links I've stumbled upon recently:
- Split dm-crypt for Qubes OS Isolate secondary storage dm-crypt and LUKS header processing to Qubes OS DisposableVMs
- qcrypt multilayer encryption tool for Qubes OS
- Install Qubes OS with boot partition and a detached LUKS header on USB
- Building a fully immutable Linux OS image, fully verified with your own Secure Boot key
- GitHub - rustybird/qubes-app-split-browser: Tor Browser (or Firefox) in a Qubes OS disposable, with persistent bookmarks and login credentials · GitHub