Hi Richard, it's recommended to only actually upgrade xen packages just before you want to reboot the system, and when you already stopped all domUs.
This is e.g. a similar situation to upgrading the openvswitch package, which will also restart processes and mess up all network interfaces of running domUs. For unattended-updates, you can just stuff "xen" inside your Unattended-Upgrade::Package-Blacklist, or if you're not using that you can put all xen related packages on hold manually and only forcibly include them to be upgraded just before the reboot. Upgrading the xen packages while domUs are running can result in a wide range of scenarios which will cause problems. Solving all of those would require more work and adding far more complexity to the packages than there's programmers and testers (and hardware to test all scenarios etc) available in the Debian project to make that happen currently. Hans