What's great about qubes is the fact that with proper hardening, it becomes very resilient thanks to the fact that it follows a 0-trust model.
2. Reducing the attack surface by only installing what is needed. Refer to usage of debian-minimal and fedora-minimal template in Qubes documentation.
3. Drop INPUT and OUTPUT in sys-net(only do this if you have proper DNS resolving mechanisms in place that are not reliant on sys-net, Qubes is reliant on sys-net for proper DNS resolutions by default. If you're interested then you can start by knowing how to use DNSCrypt proxy made by jedisct1 or using Stubby to make a sys-dns qube to do DNS over TLS resolutions.
4. Implementing the use of a VPN in qubes or highly relying on sys-whonix to torify your connections.
5. Picking only update sources that you could trust. IDK about debian but in fedora, by default, all updates are grabbed from mirrors and alot of those only support http which is bloody insecure thanks to being just plaintext and susceptible to MITM attacks. This can be changed by modifying /etc/yum.repos.d/fedora.repo and fedora-updates.repo
If you're interested in doing this then you can search up a thread I made about this here in qubes-users. Just put "Sphere" in search and you will definitely find it among the threads I have made.
6. Frequently updating your qubes after making sure you picked a source of updates that you can really trust.
"Since the majority of networks assign the actual IP address to you, you
likely won't have much control over that address, and logically the IP
address belongs to the network, not you. Chances are that with a
different MAC address you will not likely be getting the same IP address
each time either, depending of course on how they actually allocate
their addresses. "
@steve.coleman: I would like to add that IP address allocation from the ISP to you entirely depends on whether they provisioned you a Modem or a Modem + Router combo.
For the case of a Modem, you will be allocated a random IP address from a pool of IP addresses the ISP provides on the subnet that you, as a client, was allocated to. Some ISPs do not provide it by random and in the case of statically assigning you an IP address, they use your modem's MAC address and bind it to a specific IP address which effectively becomes your public IP address. This is exactly why VPN is very essential for privacy because any internet activity that does not go through a VPN could effectively be traced back to you by your ISP.
Do note that there has been wide confusion that's still happening about Modems and Routers thanks to some devices actually being labelled Modems but in reality they are Modem + Router combos that has a DHCP server which provides you your private IP addresses (Private IP addresses are IP addresses you use to access devices within your local network).
Even if that is not the case, I believe we can't be for sure that there's no exploitable vulnerability on dnf involving packages poisoned either from the source itself or in transit through plaintext http.