You’ve included everything important from the L1TF thread. Reviewing the KVM options from here, I don’t think it would ever make sense in context of a host OS. To tighten KVM options for non-Whonix guests, one would either use Kicksecure or its config which includes my changes.
As an aside it seems the new kernel command turns all mitigations on including disabling SMT. I think it’s more manageable if you switch to using that instead of specifying every knob.
mitigations=auto,nosmt