As KVM is part if the Linux kernel, I assume you’ll have to look into kernel hardening instead, next to OS hardening. Hardware is also important to consider when talking about VM escaping. A CPU that supports better VM isolation features and encrypted memory
Good is relative tbf. I’ve had issues installing something natively while installing flatpak just worked