Grsecurity coexists fine with containers. Yes, containers are a better choice than chroot (though not the best choice). The benefit of containers however is only realized if they're actually used. Grsecurity's chroot restrictions are still useful as it passively adds protection to applications that for portability or other reasons are using chroots as a security mechanism. Most grsecurity features are written to work in a similar passive way. The idealist would say "convert everything from using chroot to using containers" but this hasn't happened. In fact, based on a recent study of pie/ssp/fortify_source usage among distros, it's clear that the mechanisms we've had for years aren't being fully utilized in any distro. It's poor security strategy to protect based on how you wish things were in the optimal case on your end, rather than based on what the situation is in reality.