The current state of dom0 updates seems to be:
sudo qubes-dom0-updates doesn’t have the security benefits behind the GUI Qubes Updater, which uses the Salt version of this command. The main concern is with the Qubes repo metadata (correct if wrong), which isn’t verified due to some configuration issues. This would allow an attacker to block (but not modify) a package from being updated. A fix is being worked on and @adw is currently working on an announcement for this.
The Salt version of dom0 update has a critical issue that might be exploitable, since a bug in Salt leads to updates returning "OK"s even when it fails (e.g. ethernet cable unplugged).
So there are issues in both the Salt and the regular CLI versions of dom0 updates. The latter might actually be more severe (I think), but Salt provides the additional security checks, so it might be the lesser of two evils.
Either way, I think the case could be made for a website that lists dates on which dom0 packages were updated, sorted by date (so like a calendar) where cautious users get an easy resource to check if they suspect anything is off. Just another (low-cost) layer of protections, like an invisible pocket protector.
As usual, I’m not technical so take my words with a grain of salt (no pun intended). Also, is there a way to make a signature that’s added to every post I make? That thing kids in old-timey forums use to decorate their posts with flashy banners to show off.