While VMs can be escaped, you should keep in mind that a VM escape is an
extremely valuable 0day.
So, if you get a piece of "interesting software" containing a VM escape, there's basically two scenarios:
1) you're targeted by a nation-state,
YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT.
2) you're dealing with a potentially nasty piece of malware, but it's using publically-known escape techniques.
Keep your VM software up-to-date! And don't even
think about using sandboxing/containerizing software for testing BadStuff.
PS: while you're not super likely to find VM-escape in the wild, it's a lot more common for malware to have VM
detection - meaning it won't activate when running in a VM, so it lulls you into a false feeling of safety.