Comment by dimiprasakis

Cool approach.

But, a compromise still lands on host's kernel, Docker doesn't provide kernel isolation (well it does on a macOS because it runs in Docker machine but thats a side effect).

I wonder if a better solution would be to play with seccomp or Linux capabilities so that Chrome is sandboxed even in Docker. Not sure how this would work tbh.

Answering here to get ideas, I saw your fix on Git and request for feedback (will try to review and give it some thought once I find some time)