You are wrong. SELinux does protect adjacent VMs, by putting each VM into its own separate context and controlling which host files/devices are assigned to each context label. VMs cannot access files or devices on the host which are assigned to other VMs.
That is the purpose of the cXXX,cYYY part of the label as seen in the example here:
That is the purpose of the cXXX,cYYY part of the label as seen in the example here:
https://fedoraproject.org/wiki/Features/SVirt_Mandatory_Acce...