Oh, how well I understand you, dear friend! I created the topic with the same questions one day.
I solved this problem like this:
- Disabed update checks for all qubes and added Whonix qubes as exceptions (and now have to always make sure that there did not appear any new non-whonix qube).
- Disabled networking for all non-whonix qubes.
- Set sys-whonix as update proxy for dom0 and as default update/whonix update proxy.
- Disabled clock qube for any case, because clock synchronization is performed through clearnet and this reveals that you use some Linux OS and also always highlightes when you’re connecting to the Internet with it. Otherwise who can say that you not just started Tor Browser on your android phone, using your current network?
Qubes devs really messed this moment, by doing everything the way they did. They confused the users by giving them false feeling that they can hide Qubes presence by enabling that whonix proxy feature. They could at least somehow explain in their docs what really must be done for this purpose or explain in installer how really works whonix update proxy feature in order do not confuse users by this, because as we know with you - hiding presence of such OSes like Qubes can be really important thing for many users around the world.