Could you please check that Whonix ™ for KVM does use / does not use sudo whenever appropriate?
It uses sudo virsh start
but also non-sudo virsh -c qemu:///system net-autostart default
which is not obvious to me.
background: ⚓ T914 Whonix Host Live - enable KVM readonly mode - virt-xml vm-name --edit --disk readonly=on