Unless they prove them self or have someone as a security expert, it will be much safer for them to use shared hosting rather than a VPS/dedicated server.
That presumes that every other account on that very same box isn't doing anything dishonest.
If you successfully compiled or uploaded a packet sniffer on virtual machine #1, it will sniff packets for every other virtual machine on that box.
You also place an inordinate amount of trust on the jail system of the OS -- making sure that the various virtual machines can't see each other across the harddrive(s) they share.
And lastly, you'd be sharing SQL database access with everyone else on the virtual machine. That could open up vulnerabilities if permissions are not exactly right.