Thanks for taking the time to address my question and interest in container isolation.
To that end, I have been playing around with an idea that may, or may not, be of any real help in this area, but one that seemed to possibly be a "potential" solution to the problem of individual user container isolation.
Lately, I had thought about the idea of using a Docker Engine Network Extension that would effectively set up a Peer-to-Peer VPN on a mesh for a particular user.
There was a project that I came across call "MeshBird" which is a self-balancing VPN network for which any node just contacts a single node to be included into a mesh as long as they have the proper login credential.
My idea was to setup a docker engine network extension such that as part of the "docker run ..." command line, a person could also add perhaps something like "MESH=[pass token]" so that their container would setup, or join a particular MESH if authenticated against "pass token".
Then on other instances by the same user they would enter the same "MESH=[pass token]" and if successful then those 2 containers could see each other. This could easily go on and on so that the user effectively builds a mesh VPN just for their containers and other containers on the system would not see them at all since each user could have their own MESH VPN. Effectively, each user would have their own Peer-to-Peer VPN MESH within and across all of the docker engines in the resource pool so that only their user owned containers can see each other.
There are many details to still consider, but I thought that this might be the less intrusive approach to container isolation across a cluster of nodes.
Any thoughts on this?