The thing about containers is they usually have no NÉED in general for pure ope file system access. No need for full network access (host, LAN, WAN). So the smaller the privileges the better. So even if it is compromised there’s very little you can do with it.
This is also a general principle for network management. For instance when does the TV need to print or access any server other than Jellyfin?