I know the question of using the stable vs testing branch on a distro level, is settled for Whonix but I feel there are compelling arguments to raise it for the kernel package specifically as the most critical part for system safety and also because it’s self contained. Also in light of the spectre debacle and what fixes are not backported to older LTS kernels supported in stable are worth a new look.
Here is what Greg Kroah has to say as far as kernel security and the recommended versions one should run.
The number of security fixes that get backported are not as great as with the latest LTS release, because the traditional model of the devices that use these older LTS kernels is a much more reduced user model. These kernels are not to be used in any type of “general computing” model where you have untrusted users or virtual machines, as the ability to do some of the recent Spectre-type fixes for older releases is greatly reduced, if present at all in some branches.
So, here’s a short list of different types of devices, and what I would recommend for their kernels:
Laptop / Desktop: Latest stable release
Server: Latest stable release or latest LTS release
Embedded device: Latest LTS release or older LTS release if the security model used is very strong and tight.
The kernels in sid/testing/backports are usually not in sync with the ones listed as LTS on kernel.org but I think they provide a good compromise between recency and stability.
My recommendation based on what he said is to have Whonix install the latest cloud version in backports to have the latest fixes and a lesser number of security bugs.