I have a post coming next week about the guts of this thing, but I'm curious why you think we'd avoid running the storage stack inside the VM. From my perspective that's safer than running it outside the VM.

My impression is that you (very reasonably) treat anything inside the VM as untrusted. If you want trusted rollback, presumably that implies that the VM can't have any ability to tamper with the snapshot?

But maybe you have parts of the stack that don't need to be trusted inside the VM somehow? Looking forward to the article.

Safer from what? It depends whether you're protecting the infra or the data.