The thing about containers is they usually have no NÉED in general for pure ope file system access. No need for full network access (host, LAN, WAN). So the smaller the privileges the better. So even if it is compromised there’s very little you can do with it.
This is also a general principle for network management. For instance when does the TV need to print or access any server other than Jellyfin?
Trouble is many IT departments blindly purchase install whatever crap a security company recommends, without following step 2 (white listing).
I’ve been blocked by these stupid filters from Amazon while in engineering having to order parts to get the equipment running because it was flagged as “Japanese porn” on the guest (contractor) network. And yes I resorted to a proxy/socks tunnel to my VPS.