It just occurred to me that anonymous (whonix) and not-anonymous qubes share a fingerprint when using the same browser. With this knowledge, should the recommendation be to never use a browser in a qube that isn’t anonymous? The attack here would be that a whonix qube is compromised and the attacker opens up a browser, takes the fingerprint and sends that back to themself to compare against a fingerprint database.
There is this recommendation (implicit):
System Configuration and Access - Kicksecure chapter Use a Dedicated Host Operating System and Computer in Kicksecure wiki
(Whonix is based on Kicksecure.)
Recommends using a dedicated computer. By using a dedicated computer with different completely hardware and screen.
+ never have a local VM compromised because then the adversary could start a browser there to (in the background, without any user visible clues).
Added now here as explicit recommendation:
System Hardening Checklist chapter Dedicated Computer in Whonix wiki