It is well known that containers do not provide you safe isolation. It is not their purpose. They share kernel and page cache with the host. Any kernel exploit gives to someone in a container potential root control of the host (see DirtyPipe, DirtyCow). That's why you need VM-level isolation.
today i'm one of the lucky 10k https://xkcd.com/1053/
Lucky you! And lucky me for sharing the info :)