Not against pci bus usb passtrhough, it is the same for both Tails running on USB and Whonix on virtualizers or usb itself.
Not mounted, cannot run. My understanding
Only if you allow those devices to be mounted. But it is not for Whonix, it is for Tails and every other OS.
Malware for the general population are phishing attacks, malicious downloads, not physically inserting a malicious usb to your computer.
Also, Device Passtrough is not “bad”, it is a mean for a vm to reach the host usb. On normal systems not virtualized like Tails, it is direct connection.
This also means that an infected host can attack the vm.
Summary: Tails does not have more protection against malicious usb devices that whonix using usb passtrough.
Whonix with security-misc package (pre-installed) has disabled thunar automounting security-misc/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml at ff8451469ad3b9cbd101ca4b93d72a2ac6cebe37 · Kicksecure/security-misc · GitHub, I don’t know about tails.
QubesOS as host has some protections against a malicious usb, such as not parsing the partition table, using a separate usb qube, but nothing is perfect or course and most qubes security bulletins major issues reports problems about pci passtrough.
I suggest reading Device handling security | Qubes OS
But that writing is very difficult, so read kernel.deny_new_usb sysctl to deny new USB devices this thread