Can this be done to firefox as well? Just firefox and chromium I have in mind.
Ideally I think this should be implemented upstream by qubes, but they don’t modify DomU applications, sometimes only add some patches to work with Qubes, but nothing to block an application.
The update proxy is a minimal mitigation that requires applications to be configured to use the proxy but it is very easy to circumvent that. It is the bare minimal to avoid using a browser on the template as stated in that page.
What I am thinking is that if this is done in Kicksecure then later moved to qubes package to templates,
qubes-template-browser-block, they can remove the update proxy that does not guard much against anything besides the browser, the templates will be networked again, the template updates will be stream isolated.