VMs don’t hide all hardware information and it doesn’t hide the CPU model.
See Protocol Leak and Fingerprinting Protection and Restrict hardware information to root
It can’t. I’ve tested it. Those programs will fallback to /sys which is also restricted.
There are tons of hardware, kernel, debug info etc. in /sys. /sys is especially problematic and has been the cause of many infoleaks such as kernel pointer leaks.
AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy can do that assuming no kernel compromise.