QubesOS advertises as one of its important security feature the fact that changes to system files don’t persist between AppVM restarts. However, it’s possible to change that, by simply configuring bind-dirs in the AppVM’s /rw/config/qubes-bind-dirs.d. Furthermore most users configure passwordless root.
Doesn’t this mean that malware can persist its changes to system files, by simply configuring bind-dirs while the AppVM is running? I suppose it would be possible to discover the changes to /rw/config/qubes-bind-dirs.d, but that would require checking every time the AppVM boots.
However, I would tend to think that, having bind-dirs configured or not does not make a great difference: as you probably know, the home folder of the AppVM is, by default, persistent between reboots too, thus, even without bind-dirs, a malware could implant itself under /home/user/..., and, say, autostart by adding smth like ./path/to/the/malware into your .bashrc.
The real vulnerability lies, in my eyes, in the persistence of the home folder (or any other), not in the existence of bind-dirs (that’s why should should use disposables everywhere you can).
Nonetheless, it is true that you actually need some persistence, for storing your files, gpg keys, etc. To tighten those loose ends, I can only redirect you toward the broad “hardening of qubes” topic; “qubes” here refers to individual qubes, not Qubes OS.
For instance, you could setup whitelisting of your files, redeploying some at each reboot…
Here are some links of interest (the second and third are not directly related, but are still nice to look at):