Exactly, you need to protect the state of the PRNG and you need to ensure that the seed isn’t deterministic or easily reversed (time of day, 0, etc). That includes recovery from events and timing seen by the hypervisor. And some cloud VMs don’t have a non-deterministic entropy pool, or one safe from the hypervisor.