[Podman] syscalls: native or translated

Hi there, I just had a talk with some LXC nerds. Their opinion is that unprivileged LXC is more secure than Docker and similar solutions. These would translate the syscalls to userspace, to not have a direct interface to the kernel. In LXC, the syscalls themselves would have built-in namespace awareness in the kernel itself, but without a translation layer. How does this statement relate to the security of a container running in rootless Podman in a normal user? Could the "translation layer" introduce trouble? Best regards, Tobias