Update Quality of Life.md

Signed-off-by: Tommy <contact@tommytran.io>

Quality of Life.md

@@ -38,15 +38,27 @@ Lenovo ePrivacy can be controlled through `/proc/acpi/ibm/lcdshadow`. I use the
 - F6: `sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'`
 
 ### FIDO2 policies
-The GUI configurator are missing 2 important policies needed for FIDO2 to work correctly, namely ctap.GetInfo and ctap.ClientPin.
+The GUI configurator are missing 2 important policies needed for FIDO2 to work correctly, namely `ctap.GetInfo` and `ctap.ClientPin`.
 
 Personally, I created `/etc/qubes/policy.d/50-ctap.policy` (note that I don't touch `/etc/qubes/policy.d/50-config-u2f.policy` to avoid it being overwritten by the GUI tool):
 
 ```
-ctap.GetInfo    *  microsoft-edge  sys-usb  allpw
+ctap.GetInfo    *  microsoft-edge  sys-usb  allow
 ctap.ClientPin  *  microsoft-edge  sys-usb  allow
 ```
 
+### Split GPG
+The GUI configurator is very broken so I don't use it. Instead, I write my own policy at `/etc/qubes/policy.d/50-gpg.policy`
+```
+qubes.Gpg  *  thunderbird  vault  allow
+```
+
+Note that I just use allow here, because the vault VM on a new Fedora 41 already prompts for confirmation, so I don't wanna have to answer yet another prompt from dom0.
+
+### Trivial data exfiltration prevention
+
+One trivial way for malicious applications to exfiltrate data from an offline VM is to open a link in a disposable VM with a payload. To prevent this, open the VM settings, go to advanced and set the default disposable template to none.
+
 ### Bitwarden & Element Flatpak
 
 These apps require the keyring to be created first to work properly. Simply open a browser like Microsoft Edge and set an empty password for the keyring before using them.