[jasomill]

VMware Fusion isn't sandboxed and installs daemons running as root (which requires Gatekeeper approval or bypass to run, followed by an admin password to install the daemons).

AFAIK, XProtect is the only remaining line of defense against malware installed in this way.

[Sporktacular]

So, Little Snitch helps unless your adversary is either really good at what they do or really rich. Maybe nothing can be done in those cases, but I'd like to see the limitations of such software placed on the box.