It’s true but irrelevant since onion is different from https and the onions are not using https. ( Onion Services - Whonix )
Don’t use apt-transport-tor. In other words, don’t use tor+http. apt-transport-tor is required in Whonix, since apt-get is already pointed to Tor, torified. Just use the onions.
It’s not THAT bad with respect to apt-get since it uses verification. However, onions are good as defense in depth.
We have a ticket for that.
https://phabricator.whonix.org/T399
I am not sure when it’s sane to implement this. I encourage you and others to test updating using the onions. See if Debian keeps them. See how stable them are. If it’s stable we can of course use them, Not sure if in Whonix 14 or Whonix 15. Let’s see.
The worst case here would be we are migrating all Whonix users to the onion repositories and then these are overload and all users are stuck with broken updaters. That would be a small disaster.