Would be interesting if you know of any evidence about being an architectural hw limitation. Though of course the practical difference may be small if the DRM bootloader enforces loading the hypervisor through cryptographic checksums. But I guess if a customer asked they would allow it and the hardware could do it.