Well, email is the primary threat distribution medium right now. So If a security engineer do not show scepticism about an unsigned, unencrypted email from an unverified source, I get picky.
Looking from probability perspective, yes you are right, this is a low threat vector.
Also I consider working root in a vm an issue because security 101 lesson 1 is "avoid privileged accounts as much as possible". Why not work in a unprivileged shell account and use sudo whenever needed? VMs are not bullet proof and they can leak memory, can make host machine unstable or even crash it. There are hardly any poc's out there but VM's may be exploited to switch context to host machine. Aside from these low probable threats, while working with unknown originated binaries, losing your whole work is a big probability. In this case it would not matter if you are inside a vm or not. VM's can be recovered but lost time can not be.
"Security 101" isn't all that relevant when you actually understand the threat vectors. If you can't create a clean, isolated, snapshot'd VM for this sort of playing, you have no business applying for this sort of job.
Looking from probability perspective, yes you are right, this is a low threat vector.
Also I consider working root in a vm an issue because security 101 lesson 1 is "avoid privileged accounts as much as possible". Why not work in a unprivileged shell account and use sudo whenever needed? VMs are not bullet proof and they can leak memory, can make host machine unstable or even crash it. There are hardly any poc's out there but VM's may be exploited to switch context to host machine. Aside from these low probable threats, while working with unknown originated binaries, losing your whole work is a big probability. In this case it would not matter if you are inside a vm or not. VM's can be recovered but lost time can not be.