Redundant vpn firewalls make sense whenever the appVM firewall rules include URLs, since the qubes-firewall service in the vpnVM can fail if DNS is not resolved. For this reason, I try to avoid using URL based firewall rules.
With the Mullvad SOCKS5 proxy, for example, one only needs a single appVM rule restricting access to 10.x.0.1. In this case, the following setup works perfectly, no redundant firewalls needed, the vpnVM firewall is sufficient.
appVM > vpnVM > sys-firewall
However, if for some reason I wanted to include a URL in my appVM rules, I would structure it as follows:
appVM > redundant-firewallVM > vpnVM > sys-firewall
and I would occasionally check
systemctl status qubes-firewall in the redundant-firewallVM.