Most sites nowdays use javascript so you can’t browser modern sites with it disabled.
However, if you are running whonix gateway and workstation in virtualbox - what risks are you really carrying?
Even if there is malicious javascript code, it still cannot escape the workstation compartment, correct?
What are the real risks?
And can these risks be mitigated by running qubes-whonix on a separate machine?