It’s amazing because, without knowing all the details that you briefly described about how lxc works, I came to the same conclusion:
Install and configure a SSH server in the container, configure the firewall to redirect external packets coming to a specific port to the IP address and SSH port of the container, then test and --if everything is ok-- restrict lxc usage (i.e. login options) on the host using /etc/sudoers, so that no one would be allowed to run commands that permit to reach the container from the host. Taking all these into consideration, and also that the SSH private key will be password-protected, I am trying to imagine that this would be a pretty safe workaround (config).
As soon as I am done (this will be a couple of days), I will report back, just to confirm.
Thank you!