Maybe a bit off-topic on this article but what does systemd-nspawn add compared to the aforementioned isolation options and how can you combine the two?
systemd-nspawn does the same things as docker, but with much smaller attack surface and can be sandboxed very effectively by the unit files.
The isolation provided by unit files is orthogonal with running containers.
nspawn is not even running a dedicated daemon. Plus, it's no secret that docker was not designed with security in mind and its isolation is bolted on. [1]
Furthermore, systemd is already installed and running on most systems (like it or not)
