On the other hand:

• Loop-device exhaustion (slow, though Ubuntu has increased the limit via a patch).
• A single point of failure due to Canonical’s repository imposition (a closed garden).
• Unmaintained branches and snapped apps.
• Implicit installation of snapped apps through the apt CLI instead of the originally supported packages 🤬 (what the hell, Canonical!? Are you doing the same crap as Microsoft?).

The server-side closed garden is the opposite of an open ecosystem and the open-source community. You can add custom repositories to APT or Flatpak. Every new snap interaction feels like another step toward forcing the user to use it, instead of offering cool features that convince users on their own merits.

The last change (installing snapped apps when you run apt install) was horrendous. What’s next? Installing snapped apps when the user runs flatpak install?

You could try mine, SimpleK8s (kubeadm, containerd, systemd, buildroot), ~50Mb single file (kernel+initramfs). https://simplek8s.org/

The current footprint is lower than every alternative commented on this article.

You are giving access to the docker socket (/var/run/docker.sock), so this container can create/edit/remove any container from your system, even add,edit, remove volumes or host path.

I have no idea if you can send modification API commands to a ReadOnly socket. I think you could, in the same way that you can do something with just HTTP-GET. Example: curl --unix-socket /var/run/docker.sock http:/images/json

Doc: https://docs.docker.com/reference/api/engine/version/v1.41/#tag/Container/operation/ContainerInspect