When I first began learning how virtual machines (VMs) work, I assumed that a VM must run at the lowest CPU privilege level, as often depicted in the above figure. However, after learning the mechanics of system calls, I realized that a guest OS can actually run at the same privilege level as the host OS.
The figure should look like the following:
Most modern CPUs incorporate hardware virtualization support. For example, Intel CPUs feature VMX Root and Non-Root mode for the host and guest operating systems, so every OS has their own full range of privilege levels, from Ring 0 to Ring 3.