To add to this: passwordless root should be disabled by default, replaced by something like a sudo prompt. Apparently even Joanna has reversed her previous position on it, yet in R4.1, passwordless root is default on all non-minimal templates.
We should be applying the Swiss cheese model of engineering by closing as many holes as possible, not opening a gaping hole in each simply because it’s convenient and because Qubes has more pieces of cheese. This sort of arrogance is what sunk the Titanic, Yamato, and Bismarck,
