Both VLC and Tor Browser use the mediaframeworks (gstreamer, ffmpeg) on Linux. In case of Tor Bowser the devs are working to reduce attack surface by limiting what codecs the browser accesses.
What codecs and their versions are vectors for fingerprinting individual systems although in the case of Whonix this isn’t much of a threat considering all users run the same baseline.
Seems fingerprinting media stats is done with JS in Firefox (fix is WIP). Since VLC doesn’t execute JS this shouldn’t be a problem.
As far as cookies go, VLC has published their privacy statement which applies to their mobile versions but can be extrapolated for the desktop too IMO.
VideoLAN does not collect any statistics, personal information, or analytics from our users, other than built in mechanisms that are present for all the mobile or embedded applications in their respective main distribution channels.
The mobile or embedded versions of ‘VLC’ do allow for videos to be played via various network transports. Cookies are not stored at any point. Authentication credentials can be stored optionally on the user’s local device upon the user’s explicit request.