Safety of thunderbird credentials with Firefox and websites with file-browsing scripts on Linux

I'd like to set up an instance of Thunderbird on a Fedora VM (with a VPN). I want it to use ONLY an alias I have set up with the email providers. But I will still have to use my real credentials to log into the server. So they are in `.thunderbird` somewhere. I have to deal with websites on that VM that are pretty invasive by nature (rental tenancy applications like 2apply, snug.com, etc). Each are in a Firefox Container. They all have the facility to browse your system to upload files and documents, or 'drag-and-drop' - i.e. I have enabled those scripts in NoScript, and I have no choice about that. I'm worried that information will leak from Thunderbird to the websites, particularly my real email address. I understand/believe/have heard that linux doesn't allow programs to work without explicitly commanding them to do so, but... haven't I done exactly that with the websites by enabling file-uploading scripts? How should I think about this? Is it really a risk?