That was kind of my point handwaving away the namespace isolations (Im speaking of Docker which is still probably the industry norm outside of kubs which is another basket), when for example they can access system resources as the root user, prod around on the local network, use networked resources, often expect to have internet access to pull dependencies at startup, hard coded DNS requested the list goes on. The amount of trouble I have to go through to strangle off applications because they made convenience assumptions is asinine.