If Windows has the access to the Qubes drive, it can compromise the unencrypted /boot and with it the whole Qubes installation. You can probably detect it with Anti-Evil-Maid or hardware key (like Librem Key) but you can’t prevent it AFAIK.
See also: Verified boot on Qubes -- a lofty dream? and Is it possible to enable UEFI Secure Boot in Qubes OS?.
Perhaps this might helpful: Surveillance Self-Defense. It’s not specifically about Qubes, but Qubes is mentioned sometimes. Also, Qubes is just a meta-OS which isolates your inside-operating-systems. Everything in the link applies to them. In addition, consider compartmentalizing your workflows.
I moved your post to a new topic to make it easier for new users to find the answers