Thanks everyone for your replies and insights. I will continue “testing” and researching how to do this properly, acknowledging that it might be impossible to detect anomalies as per @adw and @icequbes1 comments.
But this brings me to another question.
Several posts on this forum ask for deeper security exploration which may be beyond the scope of the Qubes OS project. These are 2 recent examples:
more-practical-security-for-qubes-and-more-realistic-threat-model
my-personal-experience-of-attempt-to-harden-qubes-vm
I approve of Qubes OS default configuration. Qubes OS is very, very, usable while very reasonably secure.
However, evil-maid or hacking through physical access remains a major problem. State-actor evil-maid, or major crypto-currency theft evil-maid, or business intelligence evil-maid, are “normal” threats for many. That’s why people choose to use Qubes OS. Anti-evil maid is not an option for most (No TPM 1.2; no hardware readily available for anti-evil maid setup). So I wonder if it’s possible to develop a guide to verify manually if a Qubes OS machine is contacting IPs that should be cause for concern. Just putting the question out there.
Thank you again for your replies and for this community.