Dom0 is the "management" vm that runs the Qubes system. It doesn't look like a traditional vm, because it directly connects to your screen/keyboard/etc. but it's still controlled by the Xen hypervisor. From an end user standpoint, on a day to day basis you're not meant to modify this system. You're meant to use the Qubes to then access the internet/run programs/etc.
Due to Security By Isolation, dom0 isn't connected to the internet directly. As such, when updating or installing it uses an UpdateVM as a proxy. The proxy works as it downloads the packages to install to a local directory, which is then copied over to dom0 using shared memory. Once the packages are in dom0, they are then verified against the GPG keys stored inside dom0. As such, even in the event that the UpdateVM is compromised (through an apt/wget/etc. exploit), it can't feed malicious packages through to dom0. You can modify which Qube is UpdateVM either through the GUI, or by changing their updatevm qubes preference using
qubes-prefs --set updatevm $VMNAME
Mig5 has a tutorial for using a "disposable" UpdateVM that exposes some of the inner workings. Check it out at https://old.mig5.net/content/using-quasi-disposable-vm-updatevm-qubes