In all my years of emulation, I've never come across a malicious ROM for a major console.

Dolphin runs its own VM. Obviously anything is possible, but developing some kind of breakout-ROM which would infect the host machine is just way more engineering than I could imagine ever being worth it. The vector is just too complex, and the target (nerds downloading retro games) just isn't worth the squeeze.

Archive.org actually hosts a good chunk of the major Gamecube ROMs. Good luck!

There's tons of options, no-intro, redump, tosec, mame are all doing DAT files with file checksums.

That said, ROMs are basically never a malware vector as they have to exploit an issue in the emulators themselves and historically that hasn't really been seen. Typically malware related to roms happens with files included in the zip archives or by sites offering "downloaders" with embedded malware.

I've had pretty good success with CleanRip https://wiibrew.org/wiki/CleanRip#Wii_DAT_download for acquiring ROM files. With it, I was able to backup my entire personal collection with minimal fuss, and can now enjoy that collection in HD with Dolphin's various enhancements.

For verification you generally want the Redump database, which has checksums for most disc-based console releases. Unfortunately they seem to be offline at the moment, or I'd share a canonical link. Look around for that.

Now there's an interesting challenge. A ROM that does a VM breakout and runs a command on the host.