gVisor supports for GPU

This blog post says gVisor supports sandboxing GPU workloads now: https://gvisor.dev/blog/2023/06/20/gpu-pytorch-stable-diffusion/.  Given GPU workloads rely on DMA to transfer data in between the GPU memory and DRAM, does gVisor prevent the workload from issuing arbitrary DMAs on instances without the IOMMU support?  If so, can you point me to the details of the protection in the doc and/or code?

gVisor doesn't introduce any additional hardware-level isolation beyond that which is configured by the Nvidia kernel-mode driver.

Do you happen to know if the Nvidia's kernel-mode driver apply any checks on the DMA?  Is there a list of isolations enforced by the Nvidia's driver?