[flubbergusto]

VMs are great for coarse isolation ("dev box", "web surfing", etc). A typical qubesos workstation would have a handful.

In the setup I linked, separation is more fine-grained. Ephemeral container for each cargo/nodejs/python/go/gcc process. The IDE is in a separate container from its own language servers, and from the shell, which is separate from both the X server and the terminal window, the ssh agent, etc. Only relevant directories are shared. This runs my devenv with vscode fine on a 16GB RAM 8c machine.

You'd need like 1T RAM and over 9000 cores to have that run smoothly with real VMs ;)

Basically containers can give you far more domains (with better performance and weaker isolation) on the same host.

The other upside is that the entire containerized setup can be run as unprivileged user. So an escape means they are still nerfed local user. A typical VM escape would have much shorter path to local root.