Style points for running xcalc to demonstrate arbitrary code execution on a UNIX desktop. calc.exe is pretty common for this sort of thing on Windows, but I think I'd forgotten xcalc even existed until seeing the screenshot. :)
While Qubes is probably the most secure desktop OS available, reading through this code shows the extreme conflict between high performance code. Especially highly optimized C code, and security. When I look at that code, I cannot use intuition, I have to think really hard to understand what it is doing and even in doing so, I might well be wrong in my understanding.
sudo qubes-dom0-update
The exploit itself allows an attacker who gains control of one domain (like your untrusted cat video domain) to execute scripts in any domain.