Compare the following situations: (A) two processes running in the same operating system; (B) two processes running inside containers in the same operating system. How exactly is situation B less safe than A?
You are instead comparing B with (C): two VMs, each running a process.
Whether k8s / docker or VMWare Workspace / custom Xen etc is worse is another question. In my limited experience they are all terrible. But that is distinct from containerisation (confinement at the syscall layer + tooling).
You are quite correct - I am comparing multiple programs running in different vms - which is the very very common situation almost every single company finds themselves in simply because there is too much software out there today.
Even the most basic case of a database talking to an app server typically runs in more than one vm if for no other reason that it is easier to manage and easier to isolate performance issues, however, there are obviously many many other reasons as well - does it shard? does it replicate? Most websites aren't exposed to the world directly - they sit behind a load balancer because a single app can't take the entire load.
Most companies I know have workloads that don't just span one virtual machine - they span tens or hundreds or thousands or in the case of the hyperscalers hundreds of thousands. Most of the container users out there live on virtual machines! I can't keep emphasizing this point enough.
I'm not arguing for the hobbyist at home. I'm arguing for the companies that on the low end spend tens of thousands of dollars a month on cloud infrastructure. Just as a case point - Lyft alone was spending something like $80M a year on cloud infrastructure.
One of the key unikernel questions is that we don't live in the 1990s anymore - Zeus the database server doesn't live on the same server as Mars the webserver anymore. Multi-process/single-server architecture makes absolutely no sense in the 2020s.
It's almost 2021. Things have changed. Our operating systems much change too.
You are instead comparing B with (C): two VMs, each running a process.
Whether k8s / docker or VMWare Workspace / custom Xen etc is worse is another question. In my limited experience they are all terrible. But that is distinct from containerisation (confinement at the syscall layer + tooling).