Containers share the host kernel, thus the attack surface is as large as the kernel functionality that is exported to the container by the host (usually almost all syscalls).
In VMs as far as I know the attack surface is much smaller as the interaction between the guest and host kernel is limited.