Jonah wrote this when comparing VM setups and QubesOS setups:
But even then, choosing between the two is still highly dependent on one’s threat model, and it’s good that you put yours into consideration.
On the other hand, a flaw specific to QubesOS is that it still uses X11, so apps in the same qube can interact a great deal.
Edit: I think this could also be worth mentioning: ChromeOS can use Crostini VMs to isolate apps, and using VMs on MacOS provides both security through both compartimentalization and firmware/hardware security