I don't think this "pedantic reminder" is correct.
Feel free to prove me wrong though. Give me a binary to run which will escape a container, configured only with docker flags I choose to set, but without gvisor.
If it's not a "secure sandbox", surely the above should be easy... But of course you won't be able to. "contained.af" (temporarily broken right now unfortunately) has been running for 5+ years with docker, no gvisor, and no one capturing the CTF flag.
Feel free to prove me wrong though. Give me a binary to run which will escape a container, configured only with docker flags I choose to set, but without gvisor.
If it's not a "secure sandbox", surely the above should be easy... But of course you won't be able to. "contained.af" (temporarily broken right now unfortunately) has been running for 5+ years with docker, no gvisor, and no one capturing the CTF flag.