[parliament32]

The host (hypervisor) can usually dump a guest's (VM's) memory, or tamper with it. This removes that attack vector, whether it's from a rogue Google sysadmin, or from another user who escalated to the hypervisor.

Google probably has root by default via an agent, but you can remove that. Google can probably run single user mode to change your root password, but you can change your bootloader/kernel to forbid that. Google can probably mount your disk images and just read them, but you can use full disk encryption to avoid that.

[emceepeepants]

Google does not have an agent on confidential vms; that defeats the purpose. The confidential VM runs a shielded OS which includes vTPM based attestation to protect against boot/rootkits so you know if someone has tampered with your boot chain up thru kernel.