James recently wrote a really nice blog post, praising IBM's approach.
I found it really misleading. He compared the results of fuzzing attacks to compare the security of the different container approaches. He implied that it represented real-life usage, but the key item was tucked away in the text -- it was a carefully tuned seccomp configuration that was really providing the security. If your containerized application wasn't allowed to make a system call, it couldn't compromise it by using bad parameters.
BTW, gVisor got a well-deserved ding because passing invalid arguments often crashes the container in a bad way, rather than simply failing and continuing to run.
I'm leaning towards Kata Containers. With its page de-duplication approach it might be efficient enough to have reasonable resource usage and a modest performance impact.