(Unless you explicitly expose ports or mount volumes or grant elevated kernel permissions.)
I can't think of safer way of running someone else's code, can you?
FreeBSD has jails and Solaris has zones, both of which were designed to be safe sandboxes for OS-level virtualization or "containerization" as it's called today. The consensus, as far as I can tell, is that these are pretty safe/strict, at least as far as "provide a safe environment to execute untrusted code" goes.
On Linux, resource control mechanisms like cgroups and namespaces have been co-opted to simulate secure sandboxes, but it's not the same as actually providing them.
I can't speak with authority on Docker security, but that's a data point, from the largest cloud provider in the world.