Looking for a solution to be able to prevent malware spreading between VMs and also prevent spreading to Host.

Each VM will be used to test applications which may be malicious, and that DO require an internet connection and inbound connections.

Some initial ideas thoughts and questions:
1) does it make sense to connect all VMS to a virtualized OPNsense to prevent them from talking to each other and to host but provide access out to internet ?
2) Is there a way to pass through dedicated drives for each VM or a way to segment partitions to prevent malware spreading from one vm to another ?
3) Host protections not sure how to isolate the host?
3) Memory is a shared asset, is there anyway to protect volatile memory amongst VMs ?
4) I am sure there is a lot I am missing, any ideas, and is what I require beyond the capabilities of ESXI or is it at all possible.

Hopefully this thread will be a repository of information to others looking to achieve the same thing, I will do my best to post my findings and results of my experimentation but would like your input.

Please let me know what is the best way to achieve the desired result to prevent malware from spreading to host or other vms ?

Thanks you.