I presume that if you run a container or VM as you on your system you can
make a copy of its memory from the host system.
If you run it as root, is root the only user ( outside of escalation
exploits ) that has access to the memory?
If you run it as a 3rd party, e.g. myvmuser, then only that user and root
can inspect the memory from the host side?
I'm contemplating the security implications of running a security or
privacy process ( password manager, keyserver, etc. ) in a containerized
or VM environment rather than just running it as an application on the
Security and privacy processes try to lock down the memory on the host
system, but when the OS is in a sub-process you can dump the entire
In this particular case, I'm not worried about something escaping the
hosted system, rather I'm concerned about what can spy on the hosted