Develop the applications with landlock support. Landlock is a subsystem implemented in LSM for creating security sandbox. https://landlock.io/. It adds a new security layer in addition to the existing discretionary Access Control (DAC) and Mandatory Access Controls (MAC) mechanisms.
Also, vanilla kernel is included in which the landlock option in kconfig is enabled by default.

An OCI hook to generate seccomp profiles by tracing the syscalls made by the container. The generated profile would allow all the syscalls made and deny every other syscall.