One problem with pkg and jails, is that there aren't good instructions for how you separate the "this is the current list of pkg and their status in the repo" from "this is the current list of INSTALLED pkg and their specific state and version in this host"

If this can be documented, and work with an exterior common pkg repo state, then every jail can be updated on pkg upgrade, for it's specific pkg, when the exterior state is updated for pkg update, to get refreshed for what needs to be updated.

Right now, under bastille, I do pkg update && pkg upgrade inside each jail and I therefore have n copies of the state of the pkg repo.

Trivial attempts at this wind up with every jail having identical pkg state. I don't want that: one for plex, one for vaultwarden, one for adguard, they should have the minimum attack surface of just the pkg and the necessary dependencies.