The short answer is: More research and documentation is required to answer this question.
Given the current state of Linux account user separation in most if not all Linux desktop distributions…
(Details: Strong Linux User Account Isolation)
It’s a huge task to even research and document all the various views on this topic.
While often repeated and strongly implied as best practice “change passwords” at time of writing as it’s implemented now… No, at time of writing I think…
KeePassXC on Whonix-Gateway could be OK.
Password stored in plaintext on Whonix-Gateway could be OK.
Even passwordless sudo for user user in Whonix-Gateway… It could be challenging to describe a threat model where passwordless sudo for user user in Whonix-Gateway results in a bigger attack surface compared to using a strong sudo password for user user.