As a rule of Thumb, an attack can ALWAYS escape from Docker containers.

These containers are a light way to separate processes. They are not intended as a security measure to isolate malicious processes that tries to escape.