A solution should be built into the core, absolutely! There may be more than one approach but at least an outline of a solution should be incorporated into the deployments we support.
As Markus noted on slack, one way to isolate the action containers is through a docker network that forbids inter-container communication with iptables. Jeremias could probably talk more about this as a starting point. -r
