The problem is that no such reliable testing procedure exists, except for cryptographically-authenticated data.* The best you can do is probably some kind of advanced antivirus/malware scanning, but that can never conclusively prove that a file is non-malicious, since it’s always possible that the malware is sufficiently new and advanced that your scanner cannot detect it.
Disposables are not a panacea. If you parse a malicious file in a disposable, the disposable can be compromised. Then, when the disposable (or the relevant software running in it) tells you that the file is non-malicious, it may be lying to you. Being ephemeral does not give disposables any other special powers beyond regular app qubes.
*For example, the Qubes backup system uses authenticated encryption, which is what makes it possible to move data from a less-trusted place (e.g., cloud storage) to a more-trusted place (e.g., dom0, your vault qube) securely, but this relies on the fact that you know the passphrase used for encryption and authentication.
Similarly, the Qubes update system allows data to move from a less-trusted place (e.g., a random repo mirror) to a more-trusted place (e.g., dom0, your templates) securely, but again, this relies on the fact that your system already has trusted signing keys so that it can verify the signatures on updates.
In both cases, there’s still no guarantee that the data is non-malicious. (You can include malicious data in your backups. A rogue developer can sign a malicious package.) The only guarantee is that the data is authentic.