RE: How can I create a VM in virt-manager that can access the internet through the host but can't even see the host or other devices on the LAN?

I think such a thing can be done with macvtap. Check about using different vlans and test macvtap modes that prevent communicating with the host.

I don't have a router that I can create custom rules to block things. I was hoping there would be a way to do this entirely on the host but it doesn't look like it is possible.