QubesOS is security by compartmentalisation and allows you to segregate and air gap hardware virtually (which requires VT-d/IOMMU and trust there’s no Xen guest escape or hypervisor exploit). It’s a neat project though IMHO would be weaker for the threat model you describe in your blogpost.