@mk @dcc @theorytoe @bonifartius docker is not intended for security, it's not really any more secure than well configured services on systemd. docker is for declaratively making reproduceable and portable runtime environments so it is easy to deploy a consistent software stack on any system, connect it to things, and migrate it. it's useful for things like mailcow and photoprism where you just want to run the damn thing and not spend hours figuring out the tedious process to install and configure all the bits together (mailcow is like a dozen services), plus you can instantly remove at any time.

vms are best isolation you can get besides running physical separate machines, in case there is kernel vulnerability or something.