(for added security I run it inside an encrypted single purpose virtual machine where 99.9% of malware won't find it).
Well yeah.. you don't gain anything security-wise with that.
Your virtual machine is worthless if the host is compromised.
And
security by obscurity is (and always has been) a bad practice.
What I want is a single wallet, based on that single seed phrase, which has separate compartments that work like separate wallets.
What you are looking for, is basically any wallet which lets you adjust the derivation path.
BIP 32 /
BIP 44 specifices the derivation path. And one parameter ("account") is being used for exactly that.
m / purpose' / coin_type' / account' / change / address_index