gVisor (runsc) implements an application kernel in user space that intercepts and handles system calls, preventing containers from directly interacting with the host kernel. This mitigates kernel exploitation escape techniques.