Containers assumed reviewed code. AI agents break that assumption.

The interesting shift here isn’t Docker vs microVMs, it’s that “execute first, reason later” has become normal — and that forces isolation to move down to the kernel boundary.