There isn’t a whole lot(aside from it being slightly more expensive than just passing things through to hardware as fast as possible) keeping a hypervisor from doing whatever amuses it with a VM. It has full visibility of RAM and typically of mass storage and peripherals as well(physical peripherals attached to the VM’s PCIe root may be an exception depending on implementation).
However, aside from the “can’t really worry about everything here…” aspect, in the VPN case it’s less dramatic because the VPN is, by design, a man in the middle on all the network traffic; a position where you don’t actually need to tamper with the VPN endpoint to obtain a very privileged position.
The point of VPNs(when used as a privacy/security measure; rather than just because a VPN over public internet is crazy cheap compared to a dedicated hard line between most points A and B) is just that you get to choose your man in the middle; and that we connectivity situations are dire enough that there are choices that are sensible in context.
Even in the onion routing case, which sacrifices much to obfuscate the link between the origin and the exit of traffic, the exit node still gets to be man in the middle; just hopefully one who isn’t quite sure where one of the ends is.