There is no way to deliver anything to dom0 in a secure and simple way.
You can use qvm-run as described in the documentation to copy files from a trusted domain.
This will get old if done often. A tricky, but very convenient solution would be to create your own yum repository. This will both allow you to use existing package management mechanisms and improve security using gpgcheck.
I see,
so basically copying what unman does in shaker as best practices?
I lowkey hoped for a simpler solution for my smaller scale, but fair enough.
Time to look into how to run a yum repo