Risks of running in "safer" Tor mode with javascript enabled?

Most sites nowdays use javascript so you can’t browser modern sites with it disabled.

However, if you are running whonix gateway and workstation in virtualbox - what risks are you really carrying?

Even if there is malicious javascript code, it still cannot escape the workstation compartment, correct?

What are the real risks?

And can these risks be mitigated by running qubes-whonix on a separate machine?

Search Tor Browser Essentials for:

javascript

And Data Collection Techniques.

This is also a general, non-Whonix specific Tor Browser question. Potential Solutions Beyond Whonix! applies:

No.

It would have to exploit the browser and then a VM breakout exploit.