Should Whonix host be fully torified by default?
Reframing the question:
What purposes are we using Whonix Host for besides hosting Whonix VMs in a secure way?
I would argue for turning the Whonix Host into something resembling Dom0 where no internet access is possible for software running there except to update the system and keep accurate network time. Any other cleranet access by other applications will add unnecessary risk.
Since we are applying this policy to Kicksecure (with the important caveat that non anonymous traffic is allowed) this shouldn’t seem controversial a decision IMHO.