this manages to be even worse. since it's setup full of holes to usable (eg reaching out on the filesystem), you get the worst of random binaries without isolation, plus the dead end for updates you get in practice when dealing with hundreds of containers outside of a professionally managed cluster.
Actually, you get better isolation and resource restrictions due to cgroups v2, no mixture with host packages, and the full library stack ships with the application. When the application container is updated, so are the associated packages.
