Xorg is a large amount of ancient code that receives barely any attention and adds a lot of attack surface. Debian runs Xorg rootless by default for years now but Whonix’s default display manager, LightDM, decides to run it as root for whatever reason. You can verify this with
X doesn’t need to be run as root anymore (except maybe for some weird, rarely used drivers) so we should probably replace LightDM or figure out how to make it run X unprivileged. Most distros already do this by default.
On my host, I just modify
~/.bash_profile to automatically execute
startx on login (via console). Display managers aren’t that important, especially considering Whonix automatically logs in. Getting rid of them entirely would be more attack surface removed.