Eh, I don't know about "layprogrammer" but I think laypeople can follow at least key principles with right source material. Especially programmers. Here's the differences I put in my original critique to Joanna about Qubes' design choices. The Xen project stemmed from the Nemesis OS:
The architecture was designed for efficiency and management goals. The Xen project became a virtualization system that used a chunk of Linux in Dom0 for drivers, put guests in other VM's, and had plumbing to let them work together. IPC & VM launching had horrid performance. Kernel was complex. A nice architecture for virtualization that did improve over time in many ways. Unfortunately, you have to trust significant components like Dom0 and Xen that weren't designed for high-security. The complexity of Xen alone gave difficulty for the only team I know that tried to increase its assurance directly:
So, Qubes built on that foundation. That was my primary gripe with it as this probably wouldn't reach either assurance or performance (esp IPC) of microkernels. Otherwise, they did add a lot of good usability features and isolated some pieces. That was good. The category I place it in is a cross between a MILS and CMW system whose attack surface is in the middle. To help you understand that, I'll give an old paper on CMW's that shows what they looked like and one describing MILS architecture (i.e. separation kernels).
Note: Argus PitBull is a commercial example of CMW still around. MILS was implemented by Green Hills, Lynx, & VxWorks by 2005-2006. All still around if you choose to Google them.
So, MILS desktops were built like the Orange Book systems to be certified at EAL6 or EAL7. That required a ridiculous amount of security activity. See pg 8 and 12-14 here...
...to see what kind of assurance went into security kernels from prior times. Went all out with MAC, integrity levels, segments, object-based protection, covert channel analysis, generation on-site, config management. Lots of stuff to counter all threats, including malicious insiders. Current certs require even more on assurance side although HW-assists can be weaker. That's why only a handful make the cut & usually cost $$$. ;) Hope you see why my baseline was MILS-style separation kernels rather than Xen or whatever. So, what is similar in OSS world?
Note: Closer to Xen models but with Nizza- or MILS-style design attributes. This was implemented as Turaya Security Kernel & Turaya Desktop. It may be used in Sirrix TrustedDesktop but not sure.
Note: Different enough from traditional that I'd love to see formal analysis of their model by external parties. Could be issues there. However, they keep to ease modelling of overall thing and using where possible components designed specifically for secure operation. That's rare in OSS projects.
Note: Fiasco.OC and seL4 are others. I know this one has been ported into GenodeOS, though.
So, I hope those links paint an overall picture for you. Security of a solution against strong attackers depends on the underlying foundation. Is it trustworthy on its own? Does the use of it facilitate easy or difficult security? Historically, the security kernels and capability systems did really well on making secure operation, at least containment, be easier to pull off. UNIX-like and monolithic architectures made it horribly difficult with several attempts at secure, compatible UNIX failing.
Xen itself borrows some principles from more robust systems but wasn't and still isn't designed like security kernels. It also doesn't integrate much out of high-security research although some researchers still add improvements. Qubes builds on it & will inherit some of its risks. GenodeOS is designed a bit more like security/separation kernels. It does borrow plenty from high-security research, including underlying kernels. So, although actual assurance varies, architectures like GenodeOS building on high-assurance components have much higher potential for eventual security than architectures like QubesOS building on low-to-medium-assurance platforms.
And this isn't even counting the number of application-layer issues that show up within a partition. The MILS, OKL4 CAMKES, GenodeOS, etc methods of splitting applications between partitions w/ protected communications is very important for that use case. E language is a good example on capability-security side. Gotta protect trusted part or secrets from untrusted part (esp transport or UI). Mandatory access controls or CMW-style features within the partition can also help but they're fighting weaker attackers. So, these are overall the kinds of things I think about when evaluating platforms like this.
Pro tip: look at underlying platform, design principles, security architecture, and assurance activities first. If these fail, then what depends on them fails. Most security-oriented tech builds on foundations of quicksand. Things built that way typically sink under weight of strong attacks.
EDIT: I just noticed your edit after doing this research and write-up. Fortunately, I think it still addresses it. Talk about preemption. :)
https://en.wikipedia.org/wiki/Nemesis_%28operating_system%29
The architecture was designed for efficiency and management goals. The Xen project became a virtualization system that used a chunk of Linux in Dom0 for drivers, put guests in other VM's, and had plumbing to let them work together. IPC & VM launching had horrid performance. Kernel was complex. A nice architecture for virtualization that did improve over time in many ways. Unfortunately, you have to trust significant components like Dom0 and Xen that weren't designed for high-security. The complexity of Xen alone gave difficulty for the only team I know that tried to increase its assurance directly:
http://www-archive.xenproject.org/files/xensummitboston08/Xe...
So, Qubes built on that foundation. That was my primary gripe with it as this probably wouldn't reach either assurance or performance (esp IPC) of microkernels. Otherwise, they did add a lot of good usability features and isolated some pieces. That was good. The category I place it in is a cross between a MILS and CMW system whose attack surface is in the middle. To help you understand that, I'll give an old paper on CMW's that shows what they looked like and one describing MILS architecture (i.e. separation kernels).
http://web.ornl.gov/~jar/doecmw.pdf
http://www.omg.org/news/meetings/workshops/RT_2004_Manual/00...
Note: Argus PitBull is a commercial example of CMW still around. MILS was implemented by Green Hills, Lynx, & VxWorks by 2005-2006. All still around if you choose to Google them.
So, MILS desktops were built like the Orange Book systems to be certified at EAL6 or EAL7. That required a ridiculous amount of security activity. See pg 8 and 12-14 here...
http://lukemuehlhauser.com/wp-content/uploads/Karger-et-al-A...
...plus Section 6 and 7 on p 125 here...
http://aesec.com/eval/NCSC-FER-94-008.pdf
...to see what kind of assurance went into security kernels from prior times. Went all out with MAC, integrity levels, segments, object-based protection, covert channel analysis, generation on-site, config management. Lots of stuff to counter all threats, including malicious insiders. Current certs require even more on assurance side although HW-assists can be weaker. That's why only a handful make the cut & usually cost $$$. ;) Hope you see why my baseline was MILS-style separation kernels rather than Xen or whatever. So, what is similar in OSS world?
Nizza Architecture (2004 onward) https://os.inf.tu-dresden.de/papers_ps/nizza.pdf
Perseus Architecture http://www.perseus-os.org/content/pages/Hypervisor.htm
Note: Closer to Xen models but with Nizza- or MILS-style design attributes. This was implemented as Turaya Security Kernel & Turaya Desktop. It may be used in Sirrix TrustedDesktop but not sure.
Genode Architecture draws from Nizza etc at Dresden http://www.slideshare.net/sartakov/genode-architecture
Note: Different enough from traditional that I'd love to see formal analysis of their model by external parties. Could be issues there. However, they keep to ease modelling of overall thing and using where possible components designed specifically for secure operation. That's rare in OSS projects.
Muen Separation Kernel http://muen.sk/
Note: Fiasco.OC and seL4 are others. I know this one has been ported into GenodeOS, though.
So, I hope those links paint an overall picture for you. Security of a solution against strong attackers depends on the underlying foundation. Is it trustworthy on its own? Does the use of it facilitate easy or difficult security? Historically, the security kernels and capability systems did really well on making secure operation, at least containment, be easier to pull off. UNIX-like and monolithic architectures made it horribly difficult with several attempts at secure, compatible UNIX failing.
Xen itself borrows some principles from more robust systems but wasn't and still isn't designed like security kernels. It also doesn't integrate much out of high-security research although some researchers still add improvements. Qubes builds on it & will inherit some of its risks. GenodeOS is designed a bit more like security/separation kernels. It does borrow plenty from high-security research, including underlying kernels. So, although actual assurance varies, architectures like GenodeOS building on high-assurance components have much higher potential for eventual security than architectures like QubesOS building on low-to-medium-assurance platforms.
And this isn't even counting the number of application-layer issues that show up within a partition. The MILS, OKL4 CAMKES, GenodeOS, etc methods of splitting applications between partitions w/ protected communications is very important for that use case. E language is a good example on capability-security side. Gotta protect trusted part or secrets from untrusted part (esp transport or UI). Mandatory access controls or CMW-style features within the partition can also help but they're fighting weaker attackers. So, these are overall the kinds of things I think about when evaluating platforms like this.
Pro tip: look at underlying platform, design principles, security architecture, and assurance activities first. If these fail, then what depends on them fails. Most security-oriented tech builds on foundations of quicksand. Things built that way typically sink under weight of strong attacks.
EDIT: I just noticed your edit after doing this research and write-up. Fortunately, I think it still addresses it. Talk about preemption. :)