When we designed the security model for Google Cloud Build (I do not work there anymore), we decided that containers were not valid security barriers. So, all partitioning was done on the VM and network (configured outside the VM) level.
It wasn't hard to convince anyone that this was the right way to handle things.
not the op but aws made the same determination. the tl;dr is that the surface area of containerization leads to an unacceptable risk of privilege escalation.
Containers were never actually designed to be sandboxes, and inside you have access to many system calls and a comparatively huge surface area inside the kernel and userland, all written in C, with a long history of local root exploits due to C based bugs.
Because if you can get root in a container, you have root outside the container. While escaping a container isn’t exactly easy or always possible, it is a huge risk.
It wasn't hard to convince anyone that this was the right way to handle things.