yeap, you can install libraries as you like, those (like libc) communicate with the host kernel through syscalls for things like IO, memory management, etc. You could even build a docker image with only one file in it, the executable you would like to run. If the executable is doing all the syscalls itself (i think go apps are doing that?! or build with a statically linked musl).
edit: And you can pass host resources into the container, like a X11 socket for example, possibly without namespacing tho (Wayland shouldn’t be as bad as X11, as it doesn’t allow access to other windows, doesn’t pass keyboard/mouse events to all windows/apps etc).
Im running steam, thus all steam games (native or through proton) in a flatpak container. flatpak is very similar to docker, it uses the same “namespacing” primitives docker is using, but manages “images” in a different way (there is also ubuntus “snap”, which is also similar to docker). I guess as long as you are using apis (like graphics) that the kernel supports (and the according namespacing of said apis. graphics might not even be properly namespaced, i have no clue… X11 is also quite “leaky”) there is no limit.
One difference is that you’re still relying on proper kernel namespacing, if there is a kernel bug some data might leak from one container or the host to an other container. VMs are more closed up at the cost of having a complete OS with its own kernel running.
WE DO NOT BREAK USERSPACE!
You have new features added to a newer kernel, but old apis never change!