This is one reason I do like the features of newer CPUs like amds Zen line with memory encryption. Combined with the iommu/vt-d features it should be possible to isolate a hardware device from reading all ram, just the buffers that it should be able to access. Thatll come with a performance hit (based on current hardware being used for VM gaming, maybe about 10%ish at worst) but it would be acceptable for security if that level of attack is something you want to guard against.