[justicezyx]

I cannot say anything about internal use of gVisor. Sorry.

As a bystander from outside, I generally don't like VM type of mechanism as security mechanism. Unless it's actually a VM hypervisor. That way hardware can be utilized to define a relatively simper and more robust security model. (Of cuz, not saying hardware is always superior please don't chase me on this direction).

On the contrary, true software sandbox like ebpf and webassembly with limited capabilities in its building blocks and clearly defined application scenarios, are better ways to do security in software.