OK, point taken. Though someone may not be able to afford a real expert, or know where to find a capable one.
This gets to the main point of my question. So “in theory” it is not safe to use infected USB devices. In that thread @unman says “If the device has attacked the USB controller, then it’s done,
and nothing in Qubes will help.” but does not elaborate.
On the other hand, if it can only infect the controller attached to the VM, then I might be able to keep the other controllers “clean” (I still have to check whether I have more than one USB controller).
Also, you choice of words “in theory” makes it sound like it is questionable whether this had ever been done before.
So in that thread, @unman again states that a USB device attacking the system controller is a viable threat.
On the other hand, @alx’s post suggests this may not be the case:
Does anyone have further information on this topic so I can make an informed decision about the safety of using potentially infected USB devices?