Comment by antonvs

Sure, happy to discuss in detail, here or in email (where we can arrange anything else.) Base64 decode the value in my profile a couple of times (sorry for the inconvenience.)

Re isolation, my question would be, what's the threat model? Despite the theoretical risks, for example, cloud providers run user containers on their managed clusters and other service. Of course, those services and the containers they run are locked down in various ways, but that can be replicated if you're running on bare metal.

Especially if you're going to be running in the cloud, microVMs will hurt you in terms of performance, because you'll be running your own VMs within the cloud provider VMs. Similarly, using microVMs makes it harder if not impractical to take advantage of orchestrators like Kubernetes.

If you're running on bare metal, then it's probably not the best idea to run containers directly on e.g. an un-hardened Linux. You'd be better off running something like k8s for container management, and run that on a container-specific OS like Flatcar.

In that scenario, I suppose the advantage of a microvm is mainly that it could help protect you from threats you may not have considered - after all, you and I aren't AWS or Google. But pragmatically, I think the disadvantages of micro VMs outweigh the largely theoretical risks.