Most VM hypervisors allow the creation of virtual networks that are only visible to the VMs on the network, not to the host. The connection of the host to the virtual network is an extra step involving a TAP driver that translates between the host OS and the hypervisor process. Obviously, the virtual networks themselves, when the TAP driver is not loaded, are not going to mess with the host's routing configuration like a (normal, rootful) docker deployment would, by virtue of being invisible to the host's networking stack.
Also, yes, it is a docker problem in particular. Linux has a solution for virtualizing networking for a subset of processes only: network namespaces. Docker doesn't use them by default, but can be taught to do so with the rootless kit. All rootless container engines use them by default.
Also, yes, it is a docker problem in particular. Linux has a solution for virtualizing networking for a subset of processes only: network namespaces. Docker doesn't use them by default, but can be taught to do so with the rootless kit. All rootless container engines use them by default.