It depends on your threat model.
JavaScript de-anonymization exploits are rare (and can’t even be done on Whonix) and historically, have only ever been known to be used on pedophiles.
“a security hole” does not mean “giant gaping hole resulting in sandbox bypass and RCE”.