It may be possible to have it disabled by default - something I’ve personally asked about before, but we run into the problem of asking users if they want it enabled and then confusion.
Qubes has secure clipboard. KVM disables it by default. You may want to revise that statement.
Here’s the thing. Even an LCD can be a side-channel leaking its displayed contents to nearby mics due to changes in its coil noise according to what’s displayed. This is a practical attack. Things start going off the deep end once all facts are considered. Surely you can’t recommend users going on without a screen to do their computing. Not even a commandline only machine is safe.
Back to the main point. If I was to disable audio - which we still haven’t decided on until Patrick consults the Qubes people, this still leaves other browsers and VMs on the host exposed. If a security minded user were to add it back they would be running round with an open mic if they hadn’t even through to read about this problem.
Firejail is shipped, we do need volunteers to support users and maintain profiles.
If you are “smart” enough to avoid JS but still need Whonix support, you can se our mailing lists.