In Multiple Whonix-Workstation, one of the Cross-VM attack vectors is “Attacks via Shared Bridge”. In particular, one part of this section mentions that being on the same subnet creates the potential for certain kinds of attacks.
I think the situation is a little more nuanced on QubesOS because recent versions assign a netmask of
/32 to all VMs. So they’re all in separate subnets of exactly one host each. This is true for both whonix-workstation and sys-whonix.
I don’t think that this prevents every attack that would fall under this category. The fact that they are both connected directly to the same sys-whonix means that it would probably be easier for an attacker to get into a second workstation if they compromise a different one, because they would have the means to attack the same sys-whonix. And if they do get into that sys-whonix then they can definitely read all of the traffic (except application-encrypted data, of course).
I also have no idea how this impacts IPv6 (FWIW, they have
/64 on my machine). I have done some basic configuration & troubleshooting on IPv4 networks, but my ISP doesn’t support IPv6 so I know next to nothing about it. I’m familiar with the protocols mentioned in that section in theory but my practical experience is limited. So I’m not sure to what extent the netmask protects users against the shared bridge, but it seems like a non-zero amount of protection.