Every user’s needs are different, so it makes sense to ship, for example, the default Firefox configuration. If you think something is truly unsafe, you should report it to the upstream developers of the respective packages.
In the meanwhile, if you wish to harden firefox, you should check out my guide: [Guide] Automatically install extensions and configure new (dispvm) hardened Firefox profiles with arkenfox user.js and policies
Or harden your VMs with kicksecure: Hardware information masking and spoofing with hypervisor - #5 by BEBF738VD
Using Qubes OS instead of any other OS is arguably already a big security improvement.
You can create minimal templates which, by default, do not include the qubes-core-agent-passwordless-root package.
An attacker should exploit a Xen vulnerability.