I didn't say run in an air-gapped VM... Just as a means to better isolate the workloads I have running (some less trusted than others). Network connectivity and the associated vulnerabilities obviously remain.

Exactly.

If your VM can't do anything, it's probably not very useful.

Doing things meaning reading / writing files, communicating between VMs, services, etc.