> Java applets provided more scope compared to the browser itself, not less. They're not really comparable to seccomp or namespaces.

They are comparable because they provided a restricted sandbox to execute untrusted code.

> There's lots of CI or function runners that expose docker-like environments.

These are running inside VMs.