RHEL 9.1 and later QEMU/KVM AArch64 guests will start enabling the 'pauth' CPU feature[1][2] by default because AArch64 guests are always run with CPU host passthrough. If for any reason this feature needs to be disabled by the user then libvirt should offer xml to do so. The feature may be probed with QEMU's CPU model expansion QMP command. When running a guest under TCG another pointer authentication feature will be available ('pauth-impdef'). See its description in QEMU's docs/system/arm/cpu-features.rst document.

[1] https://developer.arm.com/documentation/102433/0100/Return-oriented-programming
[2] https://lwn.net/Articles/718888/