Great article Luc. I think it's also worth pointing out that it's possible to run rootless containers while keeping the Docker daemon rootful. This way you isolate the container while voiding most of the limitations of rootless Docker. In fact there is a new runc called "Sysbox" that allows Docker to create rootless containers to run things like systemd, Docker, and even K8s in them, thus voiding the need for VMs to play with Docker.