AFAIK, TemplateVM update checks work by having some AppVMs based on the TemplateVM check for updates. If all TemplateVMs are connected to a Whonix-Gateway, but not all AppVMs based on these templates are, then it seems like a good idea to disable “Check for VM updates” in Qubes Manager (in order to preserve package list privacy linkability, for example).
However, is the same true of dom0? In other words, if my UpdateVM is connected to a Whonix-Gateway, does enabling “Check for dom0 updates” cause the update checks to go over my clearnet connection (sys-firewall or sys-net) or over Tor?