brent the theory being you can't infect a sandbox (vm)
It's actually a lot simpler than that. VMs have a feature called "snapshots" that allow you to easily save current running states with a click of the mouse. Then that snapshot is stored and its name added to a list of snapshots, and the runtime you're then using is a new "current state."
You can change back to a previous state by clicking the mouse on its name in the snapshots list, thereby discarding the current state and replacing it with the snapshot you've selected.
I created a Solus Budgie VM, and after I'd fully configured it, I created and saved a snapshot named "Configured." Afterwards, I could download anything from anywhere, visit any websites, install applications from outside the Solus repositories, or whatever, and not need to worry that I would harm my host machine. If I run into any trouble on the VM, I can simply reload the "Configured" snapshot, and go on with my life.
If I don't run into any issues on the VM, I'm pretty sure I can safely take the same risks with my host machine (which is fully backed-up anyway).