Tl;DR: containers aren't (yet?) suitable for protecting host from privilege escalation.
In our case this is just fine... we are using Docker for app distribution (so we don't have to rely on libraries installed on host systems but rather carry our libraries within the container). So we are not replacing VMs with containers, we are replacing applications with containers.
In our case this is just fine... we are using Docker for app distribution (so we don't have to rely on libraries installed on host systems but rather carry our libraries within the container). So we are not replacing VMs with containers, we are replacing applications with containers.