>Apollo[1] fixes this problem really neatly - there's a "Virtual Desktop" option that adds a virtual desktop, and you can disable all the local monitors while in this session so that a local person doesn't see your desktop while you're remoted into it (just remember to lock after you end your session!).
Does that mean someone with physical access can take control while you're logged in?
Yes - afaik all of the "game streaming" solutions (Sunshine, Apollo, and probably others) derive from Nvidia's GameStream tech which just mirrors the local display remotely.
Does that mean someone with physical access can take control while you're logged in?