> A VM would bypass monitoring software installed on devices the person uses.
Not really, no: a VM is just another userspace application and a monitoring software should be able to capture its traffic just fine. If he was also using a VPN, tor or conneting to a remote machine that's another story, but only saying he was using a VM doesn't really mean much.
It's possible to pass PCI devices directly to the VM at which point they don't exist as far as the host OS is concerned. You can pass an entire USB hub to the VM and anything plugged into it is invisible to the host OS (at least by default).
Ok, but you certainly need root privileges to do that, in that case you could bypass the monitoring software in many other ways.