I don’t know what the commenter you replied to is talking about, but systemd has it’s own firewalling and sandboxing capabilities. They probably mean that they don’t use docker for deployment of services at all.

Here is a blogpost about systemd’s firewall capabilities: ctrl.blog/…/systemd-application-firewall.html

Here is a blogpost about systemd’s sandboxing: www.redhat.com/en/blog/mastering-systemd