Docker is not a sandbox. How many times does this needs to be repeated? If you are lazy, I would highly suggest to use incus for spinning up headless VMs in a matter of seconds
You can harden your Docker configuration (to not expose anything important) and then you can turn it into a sandbox by using the runsc/gvisor (emulated kernel) runtime. The configuration part alone would be sufficient for 99.9% of attacks, as it would require a kernel 0day to escape or exploit the kernel.
But it's best to just run a dev environment in a VM. Keep in mind that sophisticated attacks may seek to compromise the built binary.
Perhaps the reason people keep repeating it is that someone makes the statement without any reasons, provides an alternative again without any reasons.
"Why are you not using docker to sandbox your code?"
"Umm.. someone on HN told me docker is not a sandbox, to use randomtool instead"
Docker is not a sandbox. How many times does this needs to be repeated? If you are lazy, I would highly suggest to use incus for spinning up headless VMs in a matter of seconds