I used to be a Top Secret DCA (that's the lowest level of enhanced authority in Top Secret) in a shop that had both z/OS and z/VM systems. As far as I know the big 3 security packages all have versions for both z/OS and z/VM. This was certainly true for Top Secret. In my shop, there were a number of security islands, some z/OS and some z/VM, but Top Secret shipped updates on one system to most of the other islands. I did most of my updates on a z/OS system, including z/VM updates, with the expectation the update would be sent to the other islands.
I expect ACF2 works about the same way, but I don't know this to be a fact.
So, Top Secret did keep z/VM related data in it z/OS data base. I think RACF physically shares its database with z/VM systems, but I don't know this for a fact.
Since ACF2 uses VSAM for its data bases, and I think z/VM's support for VSAM is pretty primitive, I'm not sure sharing data bases between z/OS and z/VM is reasonable with the z/VM version of ACF2.
Top Secret's sharing by replicating data to other islands usually worked OK, though I would have to logon to the other islands to confirm the update took on the alternate system. At least once the update didn't take because the island was down when I did my update on the "master" system, more often it didn't take because of subtle differences between the "master" system and the other islands.
Most password changes took place on the system running the global session manager, a security island I did not have access to. Once (and only once) in 8+ years a password change for my ID did not propagate to what I regarded as the "master" system, and I had to scramble to fix it.