Since you don’t store any browser data, why not just use a disposable? Any malware won’t persist the session, seems trivial not to take advantage of it. Plus your passwords are in a separate qube so it’s not like you have the simplicity of login integration.
On top of that, if you only clear what you stated, you still leave your browser profile intact which leads to profile fingerprinting, even if you don’t store any cookies and such. At least with a dispvm you get a new profile every time. (If you’re interested on how to set it up, check out my howto guide: [Guide] Automatically install extensions and configure new (dispvm) hardened Firefox profiles with arkenfox user.js and policies)
This specifically: if you’re not carefully and selectively blocking cookies, then you can easily be tracked across websites. You could use temporary containers, or dispvms, or both if you’re extra paranoid.
That’s a good point, and if you apply the same strategy for browsing qubes, you get a smaller exploitable attack surface.