It seems that Firejail is going to be installed by default in Whonix 15 so this seems like it’d be a good idea.
Any Xorg window has access to any other Xorg window. This makes it easier for things like keyloggers or screenshot programs that can even record the root password. 
Firejail has a way to sandbox these windows with an external X11 server so one window doesn’t have access to another window. It seems that there is only support for Xpra and Xephyr. I prefer Xephyr over Xpra.
Would it be good for Whonix to sandbox the Tor Browser or other programs in an X11 sandbox by default?
There is a guide on X11 sandboxing here