If you do want a stronger security boundary, you can do that without using cgroups and other kinds of namespaces (aside from chroot) pretty easily using something like `firejail` -- that's what I do for this demo [0] (all the software is in /opt/appfs, if you want to try stuff out -- you can browse it here [1])
I've always heard "containerization is not a security boundary" but I am not red-team enough to provide specific counter-examples