It is safe to install all security updates for the Linux kernel immediately.
Otherwise, there is a risk that exploit will be launched in the container, which makes it possible to exit the container, gain superuser rights, etc.

It's hard to give to anyone in principle) Isolation is not complete, the core is common ..
Security updates or limited rights will not give a guarantee - unless the scriptkiddy can not be broken right away. Although it may not be necessary anymore)
Yes, and they can start some kind of crap - abuses and bans will pour in ..
Monitoring, total control and backups at a higher level are required.
+ I recommend to get acquainted with the experience of openshift and the company)
www.youtube.com/watch?v=3gkEfzja4wc

And how can you find out the processes of the server on which it is running from the docker container?
Docker is running on Synology, in an OpenWRT docker container, how can I find out Synology processes from OpenWRT?