In theory dedicated hardware is almost always better, especially if the SBC is running is a dedicated network segment properly isolated from other hosts.
In practice it really depends on the threat model aka the kind of attacks your are facing.
Well, it depends, if you’re using the same ethernet cable for both host and guest, and you set the “Promiscuous Mode” to “Allow All”, keep in mind the guest will be able to see all host traffics.
If you have shared folders between host & guest, the compromised guest can have access to those shared folders.
If I were you, I would use two physical different networks, for each. or at least VLANs. and forbid the guest network to see anything in the host network.
As long as the VM hypervisor and the virtualized OS are both kept up-to-date it’s not less secure than running a bare-metal server.
Though any time you have a multitenant system, there’s going to be some chance that an attacker could breach the sandbox in some way. There are zero day attacks and the possibility of getting behind on updates.
I would be curious about the two scenarios. Is it a quest to save power? If so, a Raspberry Pi takes a minuscule amount of power compared to an Intel/AMD system. Running the x86 constantly without the Raspberry Pi is likely to be worse than running the Raspberry Pi constantly and the x86 sometimes.
The rowhammer bug was exposed a few years ago, where flaws in DRAM allows processes to bypass OS security boundaries using the actual hardware. Not sure if new DRAM still suffers from this, but at the very least a concern for older systems.
I came to say this! VM/container security is a joke first because we find 0-days every now and then (as in every system, i guess) but mostly because hardware attacks are very feasible and likely, and neither hardware manufacturer nor systems maintainers are doing much about it.
Why are they not doing much? Because it would take years of R&D without publishing new hardware, and accepting a 50-100% (numbers of the top of my hat) slowdown on every operation on existing hardware to attain some minimal level of security in regards to rowhammer-style attacks.
Feel free to check the latest articles/discussion on rowhammer on news.ycombinator.com or lobste.rs it’s pretty depressing. To be fair, security was never a concern for modern hardware manufacturers who only care about performance (because that’s what gets listed in the reviews and brings money to their business).
Sorry i downvoted but there was ample evidence otherwise over the years and your overconfidence does not help attain an enlightened conclusion.