It’s not clear to me what threats minimizing the installed software and attack surface in this way protects against. Even if other apps in the VM have unpatched vulnerabilities, I don’t see attackers going after other user-space applications. Having a lot of templates takes up a lot of space and maintenance time, so it’s something I try to avoid. The majority of my AppVMs are based on the current Fedora template, which has all the software they all need.
I have made several templates based on the Debian minimal template. For the most part, I’ve settled on only making them when I need to add a repo or need to make changes to the template. Right now I have one for Signal, I2P, and Docker. If the program will compile or run with out needing to be installed through the package manager, such as Jdownloader, I just keep things like that in their own AppVMs. To get Docker working, I had to add user to the docker group, so I made a separate template for that. It also runs a service, so I don’t need it running in every AppVM and wasting RAM.
qubes-core-agent-networking is installed on all of those. For Signal and I2P, I also have gnome-terminal, nautilus, qubes-core-agent-nautilus, qubes-desktop-linux-common, qubes-gui-common.