Comment by tarruda
2 years ago
systemd-nspawn is simple but AFAIK it doesn't do any security other than the kernel namespacing. Docker is even worse because it runs containers as root, which means a rogue process can take over the host very easily.
Incus/LXD runs containers as normal users (by default) and also confines the whole namespace in apparmor to further isolate containerized processes from the host. Apparmor confinement is also used for VMs (the qemu process cannot access anything that is not defined in the whitelist)
Docker runs container as the user you tell it to. Same with nspawn. There's not much difference there in that respect.
Nspawn does seccomp-based filtering, similar to the usual systemd services.