it’s an extra hurdle, but it’s far from a guaranteed barrier. There’s a whole class of exploits called container escapes (or hypervisor escapes if you’re dealing with old-school VMs) that specifically focus on escalating an attack from a compromised container into whatever machine is hosting the container.