Ultimately Docker is just a set of linux features bundled together in a nice package
And that's where it gets kinda scary. In Zones/Jails, you started with as little shared as possible. A jail/zone is a fresh isolated environment. With Docker (and really all Linux container implementations) you have hack-and-slash isolation going on. It's a loosely coupled collection of namespacing mechanisms that relies on whatever spawns the container to coordinate all these mechanisms. By default, they all will happily put the process in a shared space.
And that's where it gets kinda scary. In Zones/Jails, you started with as little shared as possible. A jail/zone is a fresh isolated environment. With Docker (and really all Linux container implementations) you have hack-and-slash isolation going on. It's a loosely coupled collection of namespacing mechanisms that relies on whatever spawns the container to coordinate all these mechanisms. By default, they all will happily put the process in a shared space.