I've had this idea the other day, to run a Mac mini host (primarily because it's the cheapest game in town with sufficient built-in security hardware, i.e. it has SEP and SIP) with a Linux ARM distribution in a VM as a server, but I'm worried about the attack surface of the exposed macOS host.
My implicit threat model is that I wouldn't want to trust any "system apps, services, and processes, as well as digitally signed apps that are opened automatically by other apps." I am looking for a routing solution to this problem which wouldn't rely on macOS doing its job properly.
Is there a way to securely restrict the host's Internet access, while simultaneously allowing the VM running on this host, perhaps by routing or custom software on the router side of things? I'll be more than happy to build a router from the ground up using something like Raspberry Pi, to achieve this goal.
Cheers,
Ian