Whonix networking, as delivered uses NAT. The two machines (Gateway and Workstation) are a closed system that communicate with each other by means of the internal network. The Gateway is torified and sends those packets by nat to your host’s active interface, which is able to communicate with the outside internet. So, the Workstation is using Tor Browser, and that is all redirected to the Gateway which sends through Tor and nat forwards those packets to your host. Your host machine’s interface receives the packets from the virtualizer and forwards them to the internet. Then, a response comes in to your host (from the Tor Guard or Bridge) which then forwards back to the Gateway. Nat effectively isolates the virtual machines from your host so the two cannot communicate directly with each other by default.
Since the host interface that is connected to Whonix has to be able to accept incoming and outgoing connections, there are a variety of firewall and other solutions you could explore to tighten outgoing traffic originating from the host. Apparmor profiles are one idea, as is a dedicated interface used only for Whonix. Any modifications would be done only on the host.
Here is an idea: set up an iptables ruleset with a default deny policy. Have the outgoing interface drop any connections that come in and go out that are not from your Tor Guard or bridge. Even better, since Tor does not need DNS on the host, have your rules explicitly drop all packets in both directions to your chosen configured DNS nameservers. Maybe set it up as a bash script that you can run before you start Whonix. Create a complement script that returns everything to normal once you exit Whonix. Definitely possible with a little work.