Ultimately, this is up to the hypervisor (KVM, Xen, Virtualbox) to prevent. But we can implement defense-in-depth to mitigate chances of malware ever getting a chance to hack away at the hypervisor.
How secure is the hypervisor?
All hypervisors have had privilege escalation exploits. (Search: hypervisor-name CVE list). While researchers have been able to craft proof-of-concept malware, to my knowledge, such malware has never been found in the wild. That doesn’t mean they don’t exist - they may be undetected or carefully targeted. This is one of the ways that Whonix contributes to your security - by protecting your privacy. If your adversaries don’t know who you are or where you are, then it becomes more difficult for them to target you specifically with custom malware. If they have to rely on generic mass malware, then there’s a greater chance that it won’t work on your system or that they’ll be discovered by other users.
How to secure guest VMs