You are right. The host on Qubes OS (dom0) has no networking and never runs any software by default. Also, hardware virtualization which Qubes uses last time was broken in 2006 by its founder: https://en.wikipedia.org/wiki/Blue_Pill_(software).
The hypervisor problem can be solved (in theory) with secure boot configured with custom keys and full disk encryption. I don't know anyone who actually uses Qubes so I don't know how practical that solution is.
Coreboot has something similar to secure boot, so even if you use an open source boot loader, this can be done.
An attacker would need to do some quite invasive hardware tampering to get a third party hypervisor to work on a system secured like that.
Furthermore, preventing hypervisor detection requires constant updates if the OS itself is configured to check for the presence of a hypervisor. There's a constant arms race going on between security researchers and cybercriminals who don't want their malware to trigger on analysts' machines, many of which use virtualization to easily reset the system back to a known, secure state. Every time malware comes up with a new method of detection your evil hypervisor needs to be patched to fake that stuff too or you risk detection next time the OS updates its detection algorithms.
I just wish Qubes had a simpler architecture, such that dom0 and the Qubes Components could be implemented in eg. Guix or Nix instead of a traditional distro. Love Qubes' desktop integrations.
An attacker would need to do some quite invasive hardware tampering to get a third party hypervisor to work on a system secured like that.
Furthermore, preventing hypervisor detection requires constant updates if the OS itself is configured to check for the presence of a hypervisor. There's a constant arms race going on between security researchers and cybercriminals who don't want their malware to trigger on analysts' machines, many of which use virtualization to easily reset the system back to a known, secure state. Every time malware comes up with a new method of detection your evil hypervisor needs to be patched to fake that stuff too or you risk detection next time the OS updates its detection algorithms.