The existence of hypervisor rootkits and the vast scale of cloud provider operations argue for caution.
For example, a state-level actor can afford to train and place operatives into an AWS-scale organization with enough access to infiltrate and undermine the system.
We use bare metal hosts for the ZeroTier CAs. This is one reason, though cost/CPU is another. These machines are CPU-bound, spending most of their time signing network configs. CPU is way cheaper at OVH (bare metal) than anywhere else.
