It’s true. Even something like posting a screenshot of your dom0 desktop (without any confidential data in view) could be used to launch an attack against you, since knowing exactly what your dom0 desktop looks like might allow an attacker to take over a VM with fullscreen permissions to create a convincing simulation of your dom0 within that VM, inducing you to perform sensitive actions like entering passphrases.
Of course, such an attack should be easy to thwart by using a protected shortcut like alt+tab, so going to such great effort is unlikely to be worth it (unless the attacker somehow knows that you rarely use protected shortcuts).