I like to run a hypervisor host as just that, a hypervisor host. The host being stable is important, and also reduce attack surface by only having it as that.
An LXC per service is somewhat overkill. A docker host running on LXC could likely run all the docker containers.
Unmotorized boat used by thieves notice a copper on their tail.
“Quick. Leg it!”