No, it isn’t.
In this case you should not rely on community volunteers and ask a real security expert.
Correct.
Looks right.
This policy is the default for a new usb qubes AFAIK. This step can be improved if you hardware allows that and if your threat model implies that usb controller firmware can be compromised. You should put separate USB controllers into the main sys-usb and the secondary one, if you have more than one usb controller. Some of these devices allow that.
In theory, a malicious USB device can not just compromise the OS in the sys-usb qube but also the USB firmware. See also: Reset / reinstall USB qube after compromise.
As a side note, I also recommend to create a disposable sys-usb for everything, including your mouse. By the way, it’s a default in Qubes 4.1.
See also: Proposed procedure for using untrusted USB drives.