Would having a VM inbetween help in that case? It seems like protecting against malicious GPU workloads requires the GPU to off virtualization to avoid this exploit.
This is helpful in explaining why AWS hasn't been excited to ship this use case in firecracker.
It would probably not stop all theoretically possible attacks, but it would stop many of them.
Say you find a bug in the GPU driver that let's you execute arbitrary code as root. That still all happens within the VM. To attack the host, you'd still need to break out of the VM, and if the VM is unprivileged (which I assume it is), you'd next need gain privileges on the host.
There are other channels -- perhaps you can get the GPU to do something funky on PCI level, perhaps you can get the GPU to crash the host -- but VM isolation does add a solid layer of protection.
This is helpful in explaining why AWS hasn't been excited to ship this use case in firecracker.