Tails includes an "Unsafe Browser" which connects in the clear. So on top of a Firefox exploit, you would need another exploit to launch that browser or an exploit to escalate to root and tamper with the firewall rules. At least one Tails user has been successfully targeted like this ("an exploit taking advantage of a flaw in Tails’ video player to reveal the real IP address of the person viewing the video").[1] With Whonix, even an attacker with root would not be able to make a non-Tor connection because the firewall runs on a separate virtual machine.

[1] https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-h...

wow! that story is wild I totally missed that during the pandemic. now I'm no longer annoyed at always having to update tails the few times I boot it up.

but yeah probably going to prioritize Qubes and whonix again.

I mean yes and no.

Assuming there was an exploit that broke out of the Firefox sand box you are correct that any connection is via tor.

Though tails isn't 100% sure, you could chain a Firefox cve + user land to root and then turn off the to routing rules.

administrator/root is turned off by default, and even if the user turned it on during boot, they would still have to be tricked into approving or putting in their password again, am I missing something about the veracity of possible exploits?

There are some exploits that allow for gaining root access.

One that comes to mind is dirty sock[0]. It uses a vulnerability in the snap api to create a root user.

https://github.com/initstring/dirty_sock/blob/master/dirty_s...