Excellent summary - I should add that there is currently an issue with Debian
minimal template used as basis for FirewallVM.
On the Whonix issue, @icequbes1 is spot on. All traffic arriving at
sys-whonix will appear to come from a single IP address, that of the
firewall. So stream isolation between qubes may be compromised, if the
streams are based on IsolateClientAddress.
Example - I have 2 qubes representing different identities, which I use
to access separate accounts on the same mail server - if I put them behind
a firewall then they will share a common circuit, allowing identity
correlation.