I guess I meant sandboxing resources via cgroups, which is distinct from a security sandbox perhaps. (I actually don't know but AFAIK isolation is the default in Docker and you have to explicitly connect containers.)