Attack summary: the timings of and between key presses are unique to each person. They are actively used in the wild to track individuals with extreme accuracy and leads to complete unmasking.
The only choices that seem available is to:
- write a custom keyboard device driver  Difficulty very hard. Unlikely to get mainlined.
- abstract the system keyboard input as an (internal) network stream that we can add random latency to before releasing it back to the system. (Idea inspired by )
The second option is best because its display server agnostic, system wide, easier to implement.
How option 2 would work:
Netevent is a program that redirects input events from the host to a specified destination. Naturally we can set the destination as the host too over the loopback interface. Apply the netfilter_queing rules by @ethanwhite on loopback to introduce random delays.
This package would run as service on host out of reach of malicious code in VM and to provide system wide protection.
Testing defense if it actually works:
Mouse pointer motion fingerprinting is also another effective attack . Luckily netevent also abstracts mouse input events.
 https://github.com/Blub/netevent/wiki/Share-devices-over-the-net (GPLv2)