It seems that Firejail is going to be installed by default in Whonix 15 so this seems like it’d be a good idea.
Any Xorg window has access to any other Xorg window. This makes it easier for things like keyloggers or screenshot programs that can even record the root password. [1]
Firejail has a way to sandbox these windows with an external X11 server so one window doesn’t have access to another window. It seems that there is only support for Xpra and Xephyr. I prefer Xephyr over Xpra.
Would it be good for Whonix to sandbox the Tor Browser or other programs in an X11 sandbox by default?
There is a guide on X11 sandboxing here