As author mention, we can use pvgrub2-pvh in order to be able to use PVH virt_mod.
According to unman answer, source: Managing Kernels - #10 by unman
Using kernels provided by dom0 makes it easier to control and update
that part of the Qubes “infrastructure”.
If user take responsibility and risk to maintain each template kernel, base on distro relevant kernel and known best practice to it.
Which security implications to entire QubesOS installation could we face?
Does it improve or reduce environment security?
Whonix gateway, workstation and Kicksecure templates,
How they can be affected by usage of pvgrub2_pvh in combination with distribution kernel?
Using kernels provided by dom0 makes it easier to control and update
that part of the Qubes “infrastructure”.
That addresses usability.
If user take responsibility and risk to maintain each template kernel, base on distro relevant kernel and known best practice to it.
Which security implications to entire QubesOS installation could we face?
What are is the difference in security between e.g. template-provided Fedora kernel vs dom0-provided Fedora (usually also older) kernel?
Does it improve or reduce environment security?
You can build a custom hardened kernel for a template.
I don’t know about Fedora, but kicksecure and Whonix templates request troubleshooting if you wish to enter sysmaint session with distro kernel usage.
Also Qubes templates of them missing tirdad (network security future) by default, for using tirdad you need distro kernel.
While by morph debian into kicksecure it work well with tirdad and distro kernel, but missing session security futures from kicksecure.
Another hand,
Fedora template with distro kernel, according to my tests and feeling, work smoothly then with Qubes kernel.