Why would a vm for the project be annoying? What whole disk? They could look at the OS files installed I guess but there would be nothing belonging to any other project or user on there. If they change something they shouldn't you can roll it back. If you want to write data but not let them read it then write it to an external log server or a write-only disk. Complex security schemes are a lot more annoying than just properly dividing security between services.
I already spend more effort than I like ripping out useless security features. Every project has a virtual machine, or several, and they are isolated from each other. I don't need outdated security features that just get in the way. As it is I'd be more interested in a Linux distro that came with all that crap removed. It's been years since I used groups on a production server, I never found ACLs useful, I usually disable firewalls, filesystem permissions are a hassle far more often than they are useful, etc. Heck, the only time a real person logs into most of my systems is when something goes wrong with permissions or some other protection feature and causes a problem.
Make sure the virtualization servers are up to providing proper security between instances and from the network and then scrap all that stuff in the guest OS.
I used to use fanciful names but anymore I have way to many servers to do that with. So now we get VMHOSTn (VMHOST3, VMHOST55, etc), WEBn, ISCSIn, etc. And usually n represents the last octet of the primary IP address. 10.1.1.1 might be ISCSI1 while 10.4.5.6 might be WEB6.