This would hinge on what "configuration data" means. IMO, most of that
in /rw consists of executables or binds... stuff that shouldn't be left
in place when the VM in question is considered at-risk.
The part about dom0 seems unnecessary. The protection service is running
from the template's read-only root, before /rw is mounted.
To "clean" /rw contents... it doesn't seem healthy to do this in a
conventional sense with parsing. It should perform removal/replacement
of files, which is already done in some sense. Going forward, it could
make exceptions for things like NetworkManager connections and Tor data
(if their formats allow no execute/scripting directives) based on a
whitelist. But for now, 'clean boot' is a usable compromise that keeps
/home data.
The latest version of the protection service does its job before the
/rw/config scripts (and bind-dirs), BTW. Another thing is that it can
'clean' (replace) any file in /rw, /home or otherwise if you add the
path+file to the /etc/defaults/vms folder in the template.