I don't think I'd look too hard at lxd or freebsd as you already have a docker setup.
But hw isolation might be worth investigating - as others are saying - hostile access to a web browser, including webmail etc - is pretty dangerous. And plain docker never had a good story wrt secure isolation.
Apparently there was "hypernetes", now stackube - for combining VM runtime and kubernetes:
As for lxd/freebsd jails and zfs - both offer very nice and easy to grasp environment for isolated services - and both should end a little more isolated than a typicaldocker setup (some services running as root in container, no additional lxc restrictions).
But all things considered, if you already have k8/docker set up to give every user a separate, possibly ephemeral container... Infrastructure is probably not where I'd devote most time. It should work well enough as is.
