USB is a shared bus, i.e. all USB devices attached to the same PCIE hub will be able to talk to each other. Malicious USB devices (e.g. your DVD writer) can also easily register themselves as keyboards or whatever they want.
PS/2 is not shared and restricted to keyboard or mouse only IIRC.
What security properties you have wrt USB heavily depends on how you configure Qubes OS and/or what you did during the Qubes OS installation (e.g. if you used a USB keyboard during install or not).
Currently there are 3 modes:
- Some USB controllers in dom0 (e.g. if you need a USB keyboard) & USBGuard disabled → Qubes will warn you during boot about “unrestricted USB” or so. → Essentially any bad USB device on any such port may gain control of Qubes OS.
- Some USB controllers in dom0, restricted by USBGuard. → Some protection, useful for those who need USB keyboards.
- No USB controllers in dom0, all assigned to sys-usb. → Best protection for those with PS/2 inputs. Good, but less great with input forwarding from USB keyboards to dom0 (see the doc article you mentioned for the remaining attacks).
Mode 2 was added with 4.1 and doesn’t exist on 4.0.