In computer security, safe and secure are very specific terms. Especially, secure can mean several things.
The way I would tackle these issues, is this:
- You have the choice of virtual machines and containers. For both there are several implementations, but the gist is that with virtual machines, the computer has to offer hardware support for virtualization to work. And with virtualization, there hare nice hardware barriers between the VMs and the host. With containers, the barrier is the Linux kernel; the Linux kernel offers security primitives (namespaces, cgroups) that separate process trees from each other.
- Things tend to break less if they are smaller in size or have less features. This can be a rule of thumb when you choose between VM implementations and container implementations.
- With LXD, you can have instances for both VMs (KVM/qemu) and containers(system containers, LXC style and different from Docker).
Let’s add to the mix the baremetal servers. Twenty years ago there were only (mostly?) baremetal servers, which was cool for physical isolation.
Depending on your budget and assessment of the demands, you would pick and choose between baremetal servers, VMs and containers. You might end up with something like a baremetal server with 6 VMs (LXD), and in three of the VMs you would have LXD system containers.
Having said all that, Firecracker is not immediately comparable to LXD VM. As I understand, Firecracker compares to Docker (application containers) and just cannot run a Linux distribution.