Xen can give false sense of security too, there was years undiscovered vulnerability that allowed escape from domU to dom0.