Not all linux kernel leak to host. Docker security is way better than nefore. And there also projects like podman and docker unprivileged that don't require any root intraction to set up a kernel
Depends on your definition of "leak" I suppose. You can't get a different kernel version inside a container so there must be a "leak" in some sense. Reducing capabilities etc will just leak lesser information about the system in general, but your kernel is always shared.