I would treat bwrap processes as single-use across tenants, since host-side state (allocator, FDs, namespace bits) accumulates and you can not really prove it clean.