The recent generation of the mainframe (i.e. the z15) has the possibility to run protected KVM guests, so that the administrator of the host LPAR does not have the possibility anymore to read or alter the memory of a guest. This feature is called “Secure Execution” on the IBM Z.
IBM now published a nice introduction and demo of this new feature, which is in my opinion quite worthwhile to watch if you want to get a basic idea about running protected guests:
The video contains a short introduction into the concepts of the secure execution feature, followed by a demo that shows how to prepare a protected guest VM.