I’m not sure if /dev/vsock requirement is new, when @stgraber wrote that post he presumably only needed to pass /dev/vhost-vsock.
So by default on my Ubuntu system /dev/kvm has these permissions:
ls /dev/kvm -l
crw-rw----+ 1 root kvm 10, 232 Aug 22 08:29 /dev/kvm
So its only accessible by either the root user or a user in the kvm group.
So that suggests that if it were accessible to a wider set of users there may be security issues.
By passing it into an unprivileged container, the device is copied and configured so it is accessible by the unprivilged root user (or more if you set the
gid settings on that LXD device, see Instance configuration - LXD documentation).
So at the very least you are implicitly granting the permissions that the root user (or kvm group users) on the host had to
/dev/kvm to your container’s unprivileged root user.
I’m not sure if there are known security issues with that approach, its more that you need to be aware that those devices are not container aware and so it is at least possible that a process inside the container could do something they wouldn’t normally be able to do.