But yeah I just restrict my webserver in an unprivileged container. Though my site is static and accepts no input whatsoever.
Containers also have some advantages for device passthrough, I have my Intel iGPU added into one for Immich and Frigate, can't do that with a VM unless you detach the whole GPU from the system.
Containers also have some advantages for device passthrough, I have my Intel iGPU added into one for Immich and Frigate, can't do that with a VM unless you detach the whole GPU from the system.