Hi,
I think some good advice is:
The best practice is to combine:
- running your process as non-privileged user within the containers (docker lets you do that easily)
- stripping the container from all the potentially dangerous system capabilities (docker does that automatically)
- running an hardened Linux, with e.g. a grsec-enabled kernel, or with your distro’s security module (SELinux, AppArmor…)
A root user within a LXC container cannot (in theory) escalate to be root on the host machine; but many people believe that it is possible to do so. It is certainly harder to do with Docker containers (thanks to the capability restrictions) but if security is a big concern, you should stack up multiple safety mechanisms.