It really isn’t, malware still can easily break out as wine nor proton were never designed for isolation in the first place. Easy example is the Z drive giving program access to the whole Linux filesystem.

The same way companies advertise they are certified to be “Privacy respecting”, right? right?

That’s not true and misleading. Docker and flatpak base images mostly contain shared libraries and even these get automatically deduplicated. Your flatpak calculator doesn’t ship systemd or any other init system nor does it ship system drivers lol

And yeah if you are working in a restrained env and care about those few mbs taken by shared libraries then containarization is not for you.

Containerization is not perfect and it will never be, but that was never the goal. Making apps and services independent of the base system and easily restrictable like mounting volumes, restricting network, etc… was.