Traditionally, a hypervisor provides no abstractions: It gives every guest a view of the raw hardware, as if they were running alone on the machine. You could run hypervisors under hypervisors, recursively, endlessly (to the limits of hardware) without having to modify the hypervisor one bit.
Hypervisors could be used to run OSes and application software designed to run alone on the hardware, which was more common, of course: VM/CMS was a classic design, with VM being the hypervisor and CMS being an OS about as complicated as MS-DOS. CMS provided all of the abstractions and absolutely no security, not even being able to run multiple applications at once, and VM allowed multiple CMS guests to run at the same time.
It's secure because the VM is invisible. Ideally, there's no attack surface whatsoever, because guests can't attack what they can't see. You might as well punch the air.
Hypervisors could be used to run OSes and application software designed to run alone on the hardware, which was more common, of course: VM/CMS was a classic design, with VM being the hypervisor and CMS being an OS about as complicated as MS-DOS. CMS provided all of the abstractions and absolutely no security, not even being able to run multiple applications at once, and VM allowed multiple CMS guests to run at the same time.
It's secure because the VM is invisible. Ideally, there's no attack surface whatsoever, because guests can't attack what they can't see. You might as well punch the air.
How true any of that is today I don't know.