But USB drive can act as a keyboard (i.e. send keystrokes). You can disable all devices acting as a keyboard using udev rules.
A malicious USB drive can also listen the data going to other USB devices on the same controller. You cannot detect this.
A malicious USB device can also send data (including keystrokes) on behalf of other devices. If you have a keyboard attached to the same controller, you are currently out of luck.
You probably can get into USBVM easily from an USB device by logging as root on the login screen. This, however, assumes that keystrokes are not captured by other means, which I am not sure if it is true on the latest Qubes version, since some input proxies have been implemented. On 3.0, I was able to shutdown Debian USBVM by ctrl+alt+delete, which suggests that some more complex attacks (using the default empty root password) might be possible on this version. On newer version, I haven't tested it.
Nevertheless, I have disabled all USB keyboards on my USBVM for the reason above. They are enabled only in dom0, which uses a separate USB controller.