In the same vein, P.O.R.T.A.L.[0] mitigates against leaks by running Tor on a separate hardware router. In principle, it should reduce the risk of geolocation, as VM esape to dom0 is not possible. Annual success of pwn2own should tell you that all browsers are thoroughly compromised. If your adversary can escape to dom0, they should be able to reveal your real source IP. Whonix seems to provide this as an option[1], but not by default.
Wouldn't any process running as root on the computer be able to re-flash the router?
This is also an order of magnitude harder than Whonix, while I consider Whonix, Tails, and TBB to all be the same order of magnitude difficulty. (And your router's screwed if you mess up.)
This does seem to provide better security, although probably comparable to the Physical Isolation that you mentioned.
> Wouldn't any process running as root on the computer be able to re-flash the router?
No, because router's management interface is only available out-of-band. This is a conscious design decision to mitigate against this threat: "In order to protect the PORTAL from tampering from malware (or malicious users), it also requires a third administration interface. This can be either a serial console, or physical connection."[0]
--
[0] https://github.com/grugq/portal
[1] https://www.whonix.org/w/index.php?title=Dev/Build_Documenta...