Client/server notation indicates who initiates the connection and who sits around waiting. Wireguard seems to work best in a client/server model as a replacement for VPN, however, the wireguard website does suggest that it was designed for containers but does no complete the description.
Unikernels and scratch containers are still the only way to limit the attack surface area and take advantage of limited open ports and anthentication, authorization, encryption all at once.
Some operating systems, in particular OpenBSD, does not support containers or unikernels directly. VMM support does suggest a small OBSD install that could be restricted.
Let’s face it. Docker does a better job of configuring, deploying, securing, containers and container-like systems. The docker-compose file makes for a trivial composition of secure services. The challenge is that many host operating systems are just too bloated.