That's not contradictory. Capabilities in docker are also limited, but both are used as a part of defense in depth.