Relying on what?
- A keylogger could not download and install itself in Ubuntu when there is no browser or other program running and Ubuntu is behind a NAT router?
- A keylogger running in Ubuntu could not intercept keystrokes meant for the banking vm especially when Sticky does not use the keyboard to log on?
- A keylogger running in the browsing vm could not intercept keystrokes meant for the banking vm when
Sure, the source code for VirtualBox is available and someone with enough skill could figure out how to jump from the browsing vm through VirtualBox to Ubuntu, then figure out which vm I am using for banking, then filter back through VirtualBox to the banking vm, then override Sticky and figure out what banking site I am going to, and capture the logon information when Sticky logs on.
Possible, but highly unlikely. It's not worth their time and effort when there are much easier targets available.
Besides, I don't have that much money in web-accessible accounts to make it worthwhile. They might get a few thousand, but the rest is offline and in secured accounts that require my presence and a manager's override to access.