pKVM VMs run "on the side" rather than "on top" of the host OS, so any compromise of the host is isolated from guests, besides DoS.