Thank you for the responses! I’m leaning towards using Qubes-OpenBSD, but the last concern I have is with attack surface:
You can use Qubes OS to gain the advantages of compartmentalization and then run Whonix/Kicksecure/OpenBSD/whatever in those qubes.
The issue I see with that is that using Qubes and OpenBSD will have a larger attack surface than if I just used OpenBSD. If I did use Qubes, I’ll follow the advice given and switch sys-net to OpenBSD (thanks for that link), but if an attacker will want to attack the setup, he’ll just try to find an OpenBSD bug, or a Xen breakout bug. Let’s assume both of those are of equal difficulty to find.
If an attacker gets access (meaning it isn’t compromised, but malicious code is running, such as JS) to a VM, could he theoretically just directly attack the hypervisor instead of working on getting any more data / permissions from OpenBSD? If this is true, a Qubes-OpenBSD setup will be less secure than a purely OpenBSD setup right? If an attacker has to compromise the entire VM to break out, and THEN break Xen virtualization, then Qubes-OpenBSD is clearly superior to OpenBSD on bare metal. But maybe all of this depends on the kind of exploit?
In the second case, if your VM is compromised, it does not mean that the other VMs, or dom0 are compromised, too. For that, you would need to additionally escape the virtualization.
Just directly responding to this too: what if the attacker just directly targets the virtualization instead of the OS?