Mandatory Access Control outside of containers
The applications used outside of the containers should be also controller by Mandatory Access Control (MAC) like SELinux or AppArmor.
This MAC requires policies that also need maintenance. We can reuse existing policies (for example Debian or yocto ones from meta-security). The choice should be documented, as the changes and additions to the policies.