While containers have some useful properties, it was never intended to be, and never really functioned as a strict security boundary. We've duct-taped around that, and it's reasonably good now, but that only goes so far.
The fundamental problem is that the kernel is just too huge of an attack surface. It is probably always going to have exploitable bugs. A VM (especially hardware assisted) is a relatively tiny attack surface and it shows in the amount of bugs found.
I typically say that containers (and any other isolation that shares a kernel) are good for "mostly trusted" workloads, like different teams at the same company. You want isolation against accidents more than intentional attacks.
VMs are good for just about everything if you are careful (for example what devices and hardware are exposed) but if you want ultimate isolation you want completely separate hardware. It is the only way to be sure against hardware bugs and side-channels or VM bugs.
While containers have some useful properties, it was never intended to be, and never really functioned as a strict security boundary. We've duct-taped around that, and it's reasonably good now, but that only goes so far.