In particular, AES-CBC with Blake2b for HMAC combined with xChacha20-Poly1305.
The scheme is to encrypt with xChacha20-poly1305 first, using a key derived from a high entropy password using argon2id then with AES-CBC-Blake2b with a new key derived from the master key using argon2id and random IV encrypt the result of the cipher text and add authentication using blake2b.
Would this be a secure scheme if implemented correctly, or does combining block and stream ciphers cause vulnerabilities?
With respect to confidentiality, cascading two ciphers (xChacha20 then AES-CBC in the question) with independent keys is at least as secure as either cipher against KPA and CPA attacks. That's irrespective of the cipher's structure (bloc or stream), and of if IV of the first cipher is encrypted or not by the second.
That extends to authenticated ciphers with independent keys under CCA attack if failure of either integrity test deprives adversaries from any information, and if the second cipher applies to the output of the first including the authenticator of the first (here: if the poly1305 authenticator gets AES-CBC-encrypted and Blake2b-integrity-protected).
With respect to the above, I see no specific vulnerability to combining a block and stream cipher.
But here, we can't rely on the above, because the keys are not independent: the first cipher's key is used to derive all the other keys in a public way (assuming salts are public, as customary). So if a hypothetical attack on the first authenticated cipher (xChacha20-poly1305) leaks its key, which is the "master key", the second authenticated cipher (AES-CBC-Blake2b) does not help. In this circumstance, that could well occur if a side-channel attack on the first cipher succeeds (it's unclear if the question's "implemented correctly" leaves that possible).
This can be improved with a different password-to-keys derivation scheme (e.g. a single Argon2 which results is a split to form the other keys).
But in my opinion, cascading good authenticated ciphers is not useful, even if the keys are made independent. It adds complexity, thus potential for implementation errors. It does nothing towards solving other issues more likely to cause real harm than a break of either of the authenticated ciphers: password leak or guess by dictionary attack, penetration of any of the machines manipulating the plaintext, including but not limited to those doing encryption and decryption.
