Not easy either.
On Whonix-Gateway this is possible and for Tor and linux user group debian-tor because Tor is just a normal application.
For Whonix-Host for KVM this might not be possible by simply only allowing kvm groups to connect to the internet because KVM isn’t an application. It’s inside the kernel and works differently.
For first iteration just a “simple” Whonix host firewall. It doesn’t get any less secure than previously Debian Host + Whonix-Gateway + Whonix-Workstation.
corridor and/or kvm-only outgoing traffic can be considered in a later release.
Related: