In all my years of emulation, I've never come across a malicious ROM for a major console.

Dolphin runs its own VM. Obviously anything is possible, but developing some kind of breakout-ROM which would infect the host machine is just way more engineering than I could imagine ever being worth it. The vector is just too complex, and the target (nerds downloading retro games) just isn't worth the squeeze.

Archive.org actually hosts a good chunk of the major Gamecube ROMs. Good luck!