Docker shares the host kernel, so a container escape lands on your box, and bubblewrap stays lighter but it leak edges if you leave seccomp or fs mounts loose.

Zerobox reads like a tool for per-command guardrails instead of image management. That trade looks saner for local runs, though it's new enough that I'd expect a few escapes before the rough egdes are gone.