Plus a script to unpack the tarball somewhere and launch some entry point in a jail. Not conceptually hard, but the OCI spec has a bit more to it than that, and now we're into "write dropbox with rsync" territory...

I did some looking around, and I see that ocijail is a thing, so that's probably what I was looking for.

(edited, sorry, I didn't see your reply)