Gotcha. Did some digging to understand it a little better. Sounds like gVisor is to syscalls what opensnitch is to network calls.
Scanned an older paper and it put things in perspective:
Whereas each application running in a virtual machine runs on its own guest operating system, OS-level virtualization allows multiple tenants to efficiently share a common OS. Although efficient, such sharing is also a security concern; as Daniel Walsh quipped, “containers do not contain” [24]. If the OS itself does not run in the container, OS resources with incomplete virtualization are vulnerable [24] and kernel bugs can be exploited through a large attack surface (over 300 system calls)
The conclusion illustrates that gVisor is the bee’s knees but the performance impact has been severe (in the past @ least):
gVisor is arguably more secure than runc, as a compromised Sentry only gives an attacker access to a user-space process severely limited by seccomp filters, whereas a compromised Linux namespace or cgroup may give an attacker access to the host kernel. Unfortunately, our analysis shows that the true costs of effectively containing are high: system calls are 2.2× slower, memory allocations are 2.5× slower, large downloads are 2.8× slower, and file opens are 216× slower.
Outside of that, my initial research suggests that gVisor is harder to troubleshoot ie a container might requires an unsupported syscall and you’re just SOL. Circling back to my setup, the containers I use are installed from docker hub technically, but via a docker-compose/dockerfile from popular GitHub repositories (JupyterLab, RedLib, SearXNG, Zoraxy, etc). So what I install isn’t perfect but it didn’t exactly fall out of the back of a van either.
If anything, I have some outstanding plans to harden services across my devices w/ systemd, and when I switch to podman I can integrate that into my containers as well. TBH I likely will have to troubleshoot just as much but from what I understand there are less dead ends and the skills learned are applicable across Linux instead of just for kernel hardening.
Appreciate the advice tho and learned something new as a result🙏🏽