What are the pros and cons of running each unprivileged LXC container on the server each under separate user versus running all unprivileged containers under the single lxc system user? Does creating separate users per container improve security by removing blast radius enough that it’s worth the hassle? What about communication between containers if I have separate user per container? Is doing so worth the time or is it better to create just a single lxc user for all containers?
Not really, who spawned the container doesn’t matter too much as far as attack surface from within the container.
What matters more is what host uid/gid ranges are available to the container.
if two containers run with the same range then given the right set of kernel bugs, one container could become able to interact with the processes of another.
Preventing this doesn’t require different users though, only different lxc.idmap for each container and a large enough allocation to your lxc user so that it can give usable distinct maps to different containers.