Since you are using LXC/LXD, make sure that AppArmor is enabled on the host and ensure that a configuration profile exists (should be a decent default one available) that blocks the containers from reading things like the /etc/passwd file.

I personally run all containers in centos/alma/fedora systems specifically to take advantage of the strong SELinux-container policies.

Other things you can do would be to rebuild public images, patch them, and save them to your private registry. I find that not all container maintainers patch as aggressively as I would like. Furthermore, you can look into running containers as non root and use a non root “daemon” like Podman instead of Docker.

I personally don’t think this is a great idea aka taking your regular computer that you probably bank on, access sensitive sites, etc. and then torrenting on it and potentially opening up ports to said system.

Infrastructure is cheap so look at Hetzner, Contabo, Netcup, etc.