That is in the VMs and not the host (dnsmasq fingerprinting) correct?
The TCP timestamps being disabled is only inside of the VM, however the dnsmasq is on the host so it should still be considered. Just because Whonix has some obvious fingerprint able properties in exchange for security, does not mean you should allow more fingerprints, especially ones that are unnecessary like in this case of dnsmasq exposing it’s self on the host.
This is interesting because AFAIK Whonix disables these in linux-harden kernel which I thought is in use only in Workstation and not Gateway and I assumed that means no fingerprint (at least outside of tor) or does Gateway and workstation both use same kernel with same options? if so that could be an improvement to disable some hardening kernel features in Gateway, no?