Xen is paravirtualization and I suggest using it over anything else other than physical layer isolation. Full hardware virtualization like Virtualbox is where the danger is. I agree that paravirtualization is secure enough, and that it is certainly better to isolate apps from external IP address with paravirtualization than not to isolate apps from external IP address at all. I also recognize that paravirtualization and OS virtualization are fairly common security techniques used by people who are very good at security. I knew virtualization could be used for isolation like this (and it should be if you are not using physical layer isolation), but I didn't realize that paravirtualization was the best choice or that full hardware virtualization caused a substantial hit to guest OS security before.