> one would need to spawn new disposable VMs for each identity

This is by design how everyone should always be using Qubes OS for any task, according to its documentation and approach to security.

> relying on the Tor Browser's new identity creation within the same disposable VM would be little different from running Tor Browser on a traditional OS

Yes, if you use a single VM on Qubes OS for everything, then all security you get is from the OS running in this VM. This is not how you use Qubes, https://doc.qubes-os.org/en/r4.3/introduction/faq.html#how-d...

I run Qubes as a daily driver according to the docs, and my workflow was not vulnerable to the discussed attack.