Updates check over clearnet instead of sys-whonix and other strange decisions

Not necessarily. If you’re not connected to the network on firstboot, then you can change this setting before any qube has a chance to check for updates. But I agree that the situation can be improved, hence #9406.

Please feel free to open another enhancement request for exposing this option in the installer too.

In general, a machine can’t check for updates unless it’s powered on. This also applies to templates. They can’t check for updates unless they’re running. But they’re usually not running, except when they’re being updated (or you’re installing software in them or customizing them). So, if only templates (and not template-based qubes) checked for updates, you’d probably never find you need to update until you actually try to update. In other words, update checking would become useless.

I think the confusion stems from conflating updates with update checks. You’re correct that template-based qubes generally don’t need to be updated themselves, but they’re usually the only ones running, so they’re usually the only ones who are able to check for updates (at least in a timely fashion and on a sufficiently regular basis).

That’s like saying, “What’s the point of bulletproof glass? After all, if you want something to be impervious to bullets, you certainly don’t want anyone to be able to see through it.”

That doesn’t follow, because security and privacy are distinct concepts that can come apart. Sometimes you want security. Sometimes you want privacy. Sometimes you want both.