How so? It has no sudoers exception.
This one we can say “boot into admin mode”.
Needs re-design.
We’ll just break the functionality as long as doas isn’t installed. As long as Tor Browser is unavailable as a Debian package [1] and thereby properly installed into the system and keeping out executable of the /home folder, Whonix probably should not enable noexec [1] for /home by default.
Qubes has a separate ticket. → Qubes sudo / su / root Hardening - Development Discussion
Qubes default is to install qubes-core-agent-passwordless-root. The plan for Kicksecure, Whonix is to no longer install qubes-core-agent-passwordless-root by default. Users will then be advised to open a Qubes Root Console instead.
[1] Would stable Tor Browser deb package help or burden whonix devs?
[2] Enhanced Security via Mount Options and Compiler Restrictions