i have discovered that we can run vbox from the host using default firejail profiles.
and i have tested if whonix going to work normally = well it worked!
so this is a better way to be explained in the wiki and advise the users to use it.
so by this:
if someone managed to break whonix and break vbox he cant break it to the host.
but not sure about the anonymity once he break vbox even if its sandboxed.