@catfish My idea was to have a minimal host, so no DE and the absolute minimum number of packages. And have workstations and a NAS containerized. Likely all can be unprivileged but why not go privileged and make some shortcuts. No public-facing services or unknown executables so who cares. Handling (ZFS) storage directly in the NAS for example would be more straightforward, as well as things like graphics or sound probably.
@echoslider That’s quite useful, thanks! But you say you have apparmor and SELinux enabled, why do that with unprivileged containers? The images I used so far come with them disabled.