Two reasons speak for a separate hardware for that purpose:
1: conventional computers have no mechanism to indicate what you expect from a USB device, and you can't ask for confirmation that the user wanted to plug in a keyboard, because the user might need that keyboard to confirm hits intention
2: the USB software stack can be attacked at many layers, including firmware, generic OS code and the OS-chosen driver. That software stack varies depending on OS, motherboard, BIOS version, installed drivers etc. A hardware device can provide protection invariant from those factors
1: conventional computers have no mechanism to indicate what you expect from a USB device, and you can't ask for confirmation that the user wanted to plug in a keyboard, because the user might need that keyboard to confirm hits intention
2: the USB software stack can be attacked at many layers, including firmware, generic OS code and the OS-chosen driver. That software stack varies depending on OS, motherboard, BIOS version, installed drivers etc. A hardware device can provide protection invariant from those factors