Just saying, if you used Whonix, none of those bugs fixed in an "emergency" would have hurt you.
Whonix uses two virtual machines, one to run tor and the other only connects to the first, so you could (in theory) literally run anything as root on the Workstation one and it couldn't get your IP address. Even Adobe Flash, or javascript, or a browser with zero days. The only thing that could get you is a zero day in virtualbox itself, and even that would still need a privilege escalation first. For more details see https://www.whonix.org/wiki/Comparison_with_Others#Attacks
(I may be slightly overselling it, but it is definitely more secure than tails. Only very advanced extremists use it.)
In the same vein, P.O.R.T.A.L.[0] mitigates against leaks by running Tor on a separate hardware router. In principle, it should reduce the risk of geolocation, as VM esape to dom0 is not possible. Annual success of pwn2own should tell you that all browsers are thoroughly compromised. If your adversary can escape to dom0, they should be able to reveal your real source IP. Whonix seems to provide this as an option[1], but not by default.
Wouldn't any process running as root on the computer be able to re-flash the router?
This is also an order of magnitude harder than Whonix, while I consider Whonix, Tails, and TBB to all be the same order of magnitude difficulty. (And your router's screwed if you mess up.)
This does seem to provide better security, although probably comparable to the Physical Isolation that you mentioned.
> Wouldn't any process running as root on the computer be able to re-flash the router?
No, because router's management interface is only available out-of-band. This is a conscious design decision to mitigate against this threat: "In order to protect the PORTAL from tampering from malware (or malicious users), it also requires a third administration interface. This can be either a serial console, or physical connection."[0]
Or any kind of malware in your host system. The benefit of TAILS is that you are booting into a clean environment that is exactly as the authors' released.
A better system would combine the strengths of a live system like TAILS to host your gateway virtual machine and a separate machine for your workstation.
The TAILS security model seems a bit odd to me. These kind of zero-day attacks seems like the easiest way to deanonymize tor users, and tails doesn't protect against them at all. On the other hand, tails tries hard to keep the user's computer free from traces. But if the secret police has already identified you enough that they go and seize your computer, then you are already in trouble. Trying to protect yourself at that stage seems too late.
>On the other hand, tails tries hard to keep the user's computer free from traces. But if the secret police has already identified you enough that they go and seize your computer, then you are already in trouble.
It's that it denies them evidence. If they search all tor users, they might find proof that someone else accessed badsite.onion, but they couldn't prove that you did. Also in theory you can use tails on any computer without leaving a trace.
Imagine I want to use my work computer to browse tor, if I use their operating system then they might have spyware on it. If I use my own then I'm more secure. (They could have keyloggers or other hardware stuff, but that's more rare.)
Whonix uses two virtual machines, one to run tor and the other only connects to the first, so you could (in theory) literally run anything as root on the Workstation one and it couldn't get your IP address. Even Adobe Flash, or javascript, or a browser with zero days. The only thing that could get you is a zero day in virtualbox itself, and even that would still need a privilege escalation first. For more details see https://www.whonix.org/wiki/Comparison_with_Others#Attacks
(I may be slightly overselling it, but it is definitely more secure than tails. Only very advanced extremists use it.)