Do paravirtualized devices pose a security risk to the host and other VMs on it?

Which is true, it doesnt.

KVM is installed on the host, and Whonix is a guest OS that has its own kernel. Therefore, if the guest OS is exploited, it has no direct impact on the host OS. The host system could be threatened only if an attacker exploits a VM escape vulnerability, such as Spectre or Meltdown or so… However, the occurrence of such a threat is unrelated to whether you are using full or paravirtualization.