[spoonfeeder006]

Security wise, QubesOS is better than separate PCs since (at least in part) isolating the network card into a separate VM prevents it from having direct memory access to the whole system (I think devices do have DMA?)

It also provides a better way to communicate between VMs through simple RPC commands rather than hoping USB device drivers are not malicious

In terms of maintenance, I'm pretty sure you could have only one templateVM for everything, which means you only have to update dom0 and that templateVM. So in terms of maintenance thats really not that much more I guess?

I think I might try that myself actually

If you need persistence in the root filesystem, that could mean a standalone VM or a new VM. Last I tried I had trouble with their AppVM solution on that