My use case is considerably more simple than what is discussed here, but I thought that it might be useful for someone, too. I am not a security specialist or an IT guy. Still Qubes OS also made me reconsider how I use my computer and the Internet in a good way, added structure to my thinking about the workflows. The implemented separation of domains helps my thinking tremendously.
I decided to use as few VMs as possible while having a much more secure workflow than everyone around me ever had, but still trying to decrease my cognitive load. “Reasonably secure” is a perfect phrase which means a different thing for everyone; and Qubes actually allows to adjust its configuration accordingly!
I have just two offline qubes: vault and personal-arxiv, where the first one keeps all the passwords and the second one contains all private documents, music, videos and photos. Even if something gets compromised, it technically cannot go online, so I decided that it’s already good enough for me.
I have just two qubes with the standard Internet access. One named work for everything work-related, including web browsing (with Noscript and Privacy Badger), emails and documents. Another one is a qube named personal exclusively used for personal emails and online banking (with Noscript and Privacy Badger). Links in the emails are automatically opened in a disposable qube. These qubes are based on a Debian template.
There is a separate qube inet for Telegram instant messaging (connected via tor to hide my IP from the server). Links in the chats are automatically opened in a disposable qube. Now that I have a Pinephone, I decided that its security domain will coincide with this qube inet, so I occasionally do browsing there with Noscript. Pinephone, by the way, allows to boot from a microSD card, so you can have “random browsing domain” when booted from internal memory and “instant messaging domain” when the card is inserted.
I also have independent qubes for Skype (via tor) and Zoom.
Now, there are many other things one does in the Internet which do not belong to the qubes listed above and I do most of them in Disposable qubes. For shopping, I open the website, choose what I want to buy and then close the qube, destroying it. Actual purchase is done in a second disposable qube to prevent their tracking of my initial search. Random internet browsing, news reading, Google translate (and deepl.com translate) are all done in many disposable qubes which get created and destroyed all the time (but mostly when I reboot). I have two disposable VM templates, Fedora and Debian, which I use interchangeably. There is no history of my web browsing anywhere. If I want to save some website or download a file, it goes to personal-arxiv qube (via “send to VM”).
So I have “just” 7 qubes not counting the system ones and templates.