As a consumer, it’s fine. Not like anyone bothers to audit and compare the KVM VirtIO drivers every week to protect against malware. It phones hone to check activation status and such, but that’s just commercial software doing its thing. Running Windows is much worse for your privacy than a license check for Oracle’s extensions.

The age old comparison between Oracle and a lawnmower still comes to mind. The lawnmower doesn’t have I’ll will against you, or does it favour you. The lawnmower cuts grass. If you’re in the way, it will hurt you or because it has any desire to, but simply because that’s what it does. Don’t get in the lawnmower’s way and you can enjoy the smell of freshly cut grass on your lawn.

If you’re a business or professional, avoid Oracle. Oracle is a bunch of lawyers that have an IT side hustle. They give away their shiny toys for free in the hope you convince your boss to give it a spin, and that’s when they pounce with their elaborate licensing schemes. Paying Oracle is a liability, but use their stuff as much as you like.

Running privacy distros in a VM is always a little questionable. You’re risking submitting deanonimising data by sending background traffic from the host machine. Half committing to privacy tools is exactly how people get found.

If you’re looking for VirtualBox alternatives, virt-manager combined with KVM (or Xen, or another supported API) works quite well. USB forwards and PCIe forwards work fine and because Red Hat (IBM) is behind it, the licensing risks are a lot lower. You can use command line tools to convert VirtualBox images to libvirt images too.

If you want to take things even further, look into Cassowary. It leverages RDP’s ability to only forward a single remote application. It will add select Windows programs to your Linux application menu and auto start/stop the Windows VM on demand. There’s some setup that you need to do to make it work right, but once it’s running it works very well in my experience.