> What's the point of "separating services into containers"?
It makes root a unprivileged user. This allows you to separate application domains in a much more meaningful way then without containers.
It performs this through the use of namespace isolation. Unique set of namespaces provided by the kernel. Network namespaces, file system, uids, pids, etc.
With LXC and others you can choose your level of isolation also. You can run your browser with read-only file system support or a different home directory then the rest of your applications without having to use different users. Or you can isolate the browser entirely or whatever.
Combine that with SELinux or whatever and you can sandbox applications in a secure manner without having to change their code.
> Hardware-level virtualization is a different matter though and can in principle improve security.
No it can't.
If you are using virtualization to improve security you are doing it wrong.
Virtualization is about lowering administrative overhead and reducing hardware costs, among other things. It's not about improving security. People that say virtualization is for improving security are either trying to sell you on something or they don't really understand how security works.
If you have a security issues with buggy code throwing more code at the problem isn't probably going to help much. This is what virtualization does...