The VM is definitely safer by an order of magnitude, because you can use hardware CPU features to guard address areas and have separate Kernels for your games and other OS. However, look at this recent security hole: https://lemmy.zip/post/67733533
Security is never absolute, it’s always relative. It’s also never done, as with time any system can become hacked. Security is both a process and a consideration.
Your threat model is that you download malware which is either written for Windows or has some nasty Linux exploits baked in (as Steam Decks are popular now aswell). I doubt if most people run games without sandboxes that they try to get out of a user namespace with a privilege escalation. Sandboxing in Linux is done with Kernel level separation, and very secure.
Hackers who want to get your data who use a 0day sandbox breaking exploit really deserve your data. If they can do this they’re basically the elite of hackers. Most stuff will be simple crypto trojans and credential stealers, focused at Windows, which are both stopped dead in their tracks by sandboxing.
Let’s say you get 99.9% safety against your specific threat model with sandboxing. If you have 1000 exploits, one might be able to break it, good luck finding 1000 exploits in pirated games even if you try to collect them. And with VMs you might have 99.99% safety but so much less performance and so much more hassle it’s not worth it.
There are lower hanging fruits to hack you at that point. In reality there might be an even lower likelyhood of Windows games breaking out of a sandbox or VM on Linux. I have never even read about something like that happening once.
Exactly my thoughts. If the credential stealer is coded halfway competently, it doesn’t matter if the creds lay on C: or Z:
After all, WINE is trying to emulate Windows with all its quirks and features, which will also mean that it runs Windows viruses perfectly fine. Heck, I think WINE can probably run Windows viruses better than Windows itself.