How does libpcap read network packets, and why can it not operate in some VMs?

I'm interested to learn how libpcap reads network packets, as I am finding it is not possible when running on AWS Lambda From what I can understand, you need either or both of the CAP_NET_ADMIN and CAP_NET_RAW capabilities which would allow the relevant Linux kernel system calls to read packets from the network device However, I understand if you are operating in a VM environment, you would be reading packets from the physical network device , not the virtual one created inside the VM? This would result in the ability to read packets from _every VM_ running on the same host, which is clearly why the ability is removed from hosts, e.g. Lambda. I'm wondering why libpcap works this way, and why it cannot read packets from the virtual network device instead? Also - are there any other solutions that might work in a heavily isolated environment such as Firecracker MicroVMs?