Apparently, they are using gVisor, which when applied properly, should make a pretty good isolation primitive.