Podman makes this easier to do safely by default. I'd suggest checking that out.