I like to run a hypervisor host as just that, a hypervisor host. The host being stable is important, and also reduce attack surface by only having it as that.
An LXC per service is somewhat overkill. A docker host running on LXC could likely run all the docker containers.
Aw man. I left Reddit on my own terms as soon as the writing was on the wall re: 3rd party apps.
To have access ripped away without notice must have bred some deep hatred for the platform.