Which is why docker apps are awesome. IF you've allowed a container to be reached from the outside world one way or another and it gets compromised, then that container only has access to certain folders etc that you have decided to give it, with the permissions (ro / rw) that you also gave it access to.
And, if you are allowing outside access to any given app then you also should make sure that the app is constantly up to date. Either by checking yourself say monthly, or just simply having it auto update via the plugin so that you are getting the latest versions of the app / container, security updates etc.
Note that updates aren't just limited to the containers. The major plugins (CA family, Dynamix, UD and more) are all constantly being reviewed for security issues and having updates issued to them not to mention the OS itself.