The QEMU TCG approach makes sense for isolation, but I'm curious about the traffic routing story. Does each container get its own network namespace, or does all traffic still go through Android's network stack? The latter would mean carrier-level DPI still sees everything the container sends — which matters a lot depending on what you're running.