IOMMUs are designed to prevent peripherals accessing all of memory, so you don't need to disable DMA.
If a device did manage to escape the confines of the IOMMU somehow, then it would likely just get the encrypted pages, which would be garbage without the keys to decrypt them.
Linux and macos use the IOMMU for protection by default. Windows needs a lot of configuration to achieve that otherwise it only uses it for virtualization.
If a device did manage to escape the confines of the IOMMU somehow, then it would likely just get the encrypted pages, which would be garbage without the keys to decrypt them.