The fact it runs on the same hardware isn’t super important, given most malware doesn’t infect hardware. For the rare malware that does (ie. firmware/UEFI malware), they have to get past the hardware abstraction layer that the hypervisor presents to the VM to access, which isn’t easy.

Most malware instead affects the file system of the environment you’re running in (ie. user files, applications and the OS). Since the file system of a VM is typically contained within the VM itself (virtual disks) and it does not share a file system with the host, any malware that infects the guest will not infect the host.

Unless the malware is specifically designed to exploit a vulnerability in the hypervisor and allows it to escape.