So attempt to run every container with the least privilege:
- seperate networks for each stack
- only map needed folders
- run the container as a non root user (some containers won't work so they need to be run as root user)
- use a RP with authentication (if a app is valuable)
- make differential backups to shrink size and increase the interval (and check if they work)
- block internet access to containers that don't need them
If the source of the image is getting hacked/ the maintainer does make a backdoor, etc