This is incorrect. The primary motivation for separating the Tor Gateway from the User VM is to prevent a bypass of the Tor proxy. This is one of the main advantages of Whonix / TorVM over Tails. If a packet reaches your destination without having been routed through Tor, it will be stamped with your actual public IP as it's source, regardless of how many NATs / firewalls might be involved.
There are real world examples of both malicious and non-malicious cases of Tor circumvention. An example of the former includes the FBI's TBB-targeted NIT, called Magneto. In terms of the latter, inadvertent leaks happen when programs don't respect proxy rules, as has happened with Flash, Skype, Torrents, WebRTC, etc.
Whether using an "isolating proxy" (multiple machines) or not, using a white-listing proxy like Corridor can help ensure all of your traffic passes through Tor (Entry Guard, at least).
Those are fair points. In fact, I deal with those complaints every time I install a new Tor Browser.
1. Automated updates: I set it to notify only - just because I don't want to be interrupted / surprised - not because I don't trust TPO or the update process. If you're worried about eavesdropping or metadata scavenging, this is not the same as MS phoning home because you can check the source and build it yourself.
2. Javascript on by default. I turn it off or set security to 'high'.
3. Disconnect.me default search. I change it to something else.
4. Not sure if this is your concern but TorButton works through Tor's Control Port. There exists a Tor control command called GETINFO that will retrieve the real public IP of your Tor client. In Whonix, these commands are filtered by the Control Port Filter Proxy. The control port can optionally be disabled entirely. This approach is much safer than using the Tor Browser Bundle on its own. I don't know how Tails addresses this.
As to your inclination to "roll your own" privacy browser, there are 2 things you might want to consider:
1. In general, security software (and anything involving cryptography) is best tackled as a community. No matter how brilliant you might be, one error is all it takes to render the whole solution dangerous. More eyes the better.
2. Unless you replicate Tor Browser *exactly* (why roll your own if you're going to do that?), you will likely have a fantastically unique fingerprint that will identify you anywhere you go on the Internet, regardless of however many anonymous proxies you sit behind. Browser fingerprints can not be eliminated completely. Instead of trying to hide, Tor Browser sets a public fingerprint that all users can share. As in #1, having a vigilant community helps identify new fingerprinting vectors asap.
[you might generate more interest on these topics on tor-users mailing list.]