Live mode does not use squashfs, but the host/iso does which will fail if the module is not loaded.
Instead of blacklisting you could also skip compiling them into the custom kernel. I guess the cloud kernel from the debian repo won’t have most of those and other stuff. But I also could not get it to work.
Because root access means game over if malware gained root. The attacker has way too many ways to compromise the system in persistent ways. Root should be allowed to load the module / mount any disk.
It’s there for me in Virtualbox. Virtualbox might add CD-ROM support by default while Qubes only adds the bare minimum. If so, is there a way to disable it in the Virtualbox ovas by default?
An attacker could attempt to mount something containing the filesystem which will load the module.
Things like thunar-volman and udisks allow unprivileged mounting.
Root can just remove the file that blacklists these modules anyway.
W: security-misc: obsolete-command-in-modprobe.d-file etc/modprobe.d/30_security-misc.conf install
N:
W: obsolete-command-in-modprobe.d-file
N:
N: Use of 'install' and 'remove' commands in module files in
N: /etc/modprobe.d and /etc/modules-load.d is deprecated and should be
N: replaced with 'softdep' commands.
N:
N: Severity: warning
N:
N: Check: modprobe
N: