I've been exploring this space. There are some use cases where I'd love to run an isolated Claude agent asynchronously. I think running Docker in rootless mode might solve some of the OP's concerns—I believe Podman does this implicitly. Also, there are tools like Kaniko that does not need Docker to create container images. You can also try changing the underlying container runtime to something like gVisor if you want more security.

Does anybody have experience using microVMs (Firecracker, Kata Containers, etc.) for this use case? Would love to hear your thoughts.

Posted almost at the same time about Kata. I'm trying to use Kata as replacement for the standard docker runtime (since I already have a tool based on docker).

The idea is to simply use the runtime flag (after kata install):

docker run -d --runtime=kata -p 8080:8080 codercom/code-server:latest

Hope this works, with this I could keep my existing docker setup.