It can be both.  The virtual machine is like a separate PC and if it's running linux, then even better.   A malware on the vm cannot harm the host, and a malware on the host (assuming windows os) cannot harm the vm, however if someone is able to control your host os, then they can start the vm and do damage, or "steal/copy" from the vm.

This would be very visible on the screen but if the host os is running at night and you're asleep, then... 

The idea is to secure the factom wallet from any malicious copying as it's not password-protected.  Running enterprise-wallet in a brand spanking new linux os and installing nothing else but enterprise-wallet using the one line command (well you do have to run the firefox on the xubuntu vm to go to github to download the factom enterprise wallet binary and maybe to run sha256sum to check the hash), voila, you're up and running with a good, clean enterprise-wallet.  The other challenge is to connect it to a factomd daemon, but that's a separate worry for now...

When the vm is shutdown (recommend to use the xubuntu "start" menu to shutdown after closing the enterprise-wallet application), then the factom wallet is "secure" not open for copying or deleting by anyone.  When you need it, just start/power on the vm.  [BACKUP (to outside of the vm) is important of the /home/userName/.factom folder to an encrypted container (i.e. veracrypt) as it's not password-protected.]