If the VM vendors were doing their job properly then SCSI targets accessible from within a VM would themselves be virtual; for example with storage backed from a file (or partition) on the host machine. If VM vendors let a physical disk be accessed from within a VM then then they should not be too surprised there might be security problems. The SANITIZE command (both ATA and SCSI) would be interesting.
Anyone thinking about command filtering should consider the SCSI command set (a moving target), the SAT standard and the fact that protocols other than SCSI use the SG_IO ioctl (e.g. SMP).
P.S. One would think Paolo Bonzini might bring up the subject on the linux-scsi list.