LXC/LXD use the same kernel isolation/security features Docker does - namespaces, cgroups, capabilities etc.

After all, it is the kernel functionality lets you run something as a container. Docker and LXC/LXD are different management / FS packaging layers on top of that.

I assume it's not using seccomp, which Docker uses, although seccomp is not Docker specific and you can go grab their policy.

It's the same stuff - namespaces, etc. But it doesn't shove greasy fingers into network config like docker. More a tooling question/approach than tech.

Have similar feelings about docker. LXD containers through a bridged interface fit my mental model/use case.