There's no such thing as a temporary read in LLM land though. Once it's in context, you have to assume everything else connected to the agent will be able to exfiltrate it until the agent is killed and the context wiped.

Note, this is the case whether running in VM or not, so I agree that VM is not a security solution.