Nick StocksDocker containers share the host kernel. Namespaces ≠ sandbox.
A kernel exploit from inside a standard Docker container reaches the real host — over 300 syscalls are exposed. gVisor (Google's open-source user-space kernel) cuts that to ~20.
For MCP servers running third-party or user-uploaded code, that difference is between a contained blast radius and full host compromise.