Well, in Qubes the host doesn’t connect directly to the internet but that makes little difference here. Another VM connecting to clearnet vs the host connecting to clearnet makes no conceptual difference here.
These are best practices. Not every violation always leaks to instant compromise. It requires someone to look for it. It would be unrealistic to assume that a perfect implementation o all these best practices is done by all users all the time. There are public no reports of such attacks having been successfully used against users yet.