How would that help?

It would mean you need an additional vulnerability to escape the VM sandbox.

Yeah if you check email in a VM. But how would a Docker container help?

Maybe I'm using terms interchangeably when I shouldn't be (I haven't jumped on the containerization bandwagon), but a Docker container is still just a "VM light", right? Part of its purpose is to isolate the things running inside of it from anything else running on the system. I'm fairly certain my comment still stands if you just `s/VM/container`.

No.

Docker isolation is for convenience not security isolation.