awokd is right about root non-persistence... its a good thing to keep. I
only use standalone VMs for rare types of tests.
I'm also not sure that separating large GUI apps from each other in
different VMs is an answer to anything; once you have the layers in
place to support one large app, you probably have most potential
app-related vulns installed at that point.
My personal recommendation is to use debian-9 for most things; create a
larger version with the usual desktop environment (KDE or Gnome) + apps
installed. The smaller one works for sys-net, firewall, vpn, etc. plus
browsing and email. The big one is for content creation and special
comms: office apps, media, messengers, etc.
The isolation concept works best (on Qubes at least) when applied to the
types of _tasks and risks_ you expose each VM to... not so much when
applied to specific apps (although occasionally risk types translate
into specific apps).
--
Chris Laprise,
tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886