I believe you are correct, and that this poses a significant risk for people who don't properly understand the underlying concepts.

A Qubes OS user needs to start a new disposable Whonix workstation VM to sidestep this attack, NOT create a new identity in the same disposable VM's browser, which is exactly what this attack targets.