Why would you need av for a vm? Just do it from pfsense level
Inter vlan comm won't even see pfsense. Not sure how that would help. Though I could put it on another vlan but then I have to punch a hole in the firewall to allow file shares to that other vlan, rather not do that.
Easier to try to eliminate the source of threat completely, by removing the need for windows altogether. Or at very least not having it running all the time. I only fire up the windows vm if I absolutely need to use a windows program like the ESX panel, but it's kinda cubersome, would rather not need to do that at all, so I stick to open source as much as I can.
Whether it's a VM or a physical machine, it's still an OS installation that requires the same level of management.