@jorin I deploy my services in jails on FreeBSD and when they need database access I have the Postgres unix socket mounted into the jails that need it. No network access for the database == fffffast

However, I've been warned that container/jail escape by abuse of the socket is somehow theorhetically possible, though I have never seen a clear explanation of how it would work. (same for syslog actually -- I mount in the socket for that)