The overall idea is to apply the principle of least privilege. If each process run in its own set of namespaces, and only can only access exactly what it is meant to, then the container configuration is explicit documentation of dependencies, and you also reduce attack surfaces.
As for running on bare metal, I don't think the implication is they always better, but that if your goal is huge scale minimizing the number of layers is better for efficiency (though not necessarily better for other things - e.g. you may want to group/sandbox some containers in VMs for increased security)
As for running on bare metal, I don't think the implication is they always better, but that if your goal is huge scale minimizing the number of layers is better for efficiency (though not necessarily better for other things - e.g. you may want to group/sandbox some containers in VMs for increased security)