This makes it sound like you'll be running multiple daemons on the one server, relying only on the file permissions to deny or grant access? You really should be completely isolating each separate coin, so that a compromise of one wallet won't affect the others on the server.

I don't know about Linux containerization, but under FreeBSD you can use 'jail' to run an extreme chroot: only the coin client and a couple of required libraries (as well as the application data) are visible to the process. This means that a compromised coin client can't open a shell (no /bin/sh), can't recompile anything (no cc), and can't start any kind of remote access daemon such as ftpd or nc. Lock each one up tight.