This question is part of the ongoing Qubes learning experience.
In Qubes R4.1rc2 /etc/qubes-rpc/policy/qubes.UpdatesProxy defaults to sys-net and not to sys-firewall or sys-whonix. It would seem to be a more conservative approach would be to default to a more secure proxy and let the user decide if less security is necessary. It’s understood that all downloads will be verified.
Since dom0 updates are not as frequent as other qube updates by design, couldn’t update requests, intercepted by a MITM, be maliciously returned empty; without anyway of knowing whether updates are available wouldn’t this effectively leave the system vulnerable?
As a follow-up, many distributions provide an alternative way to determine whether updates/upgrades are available.