jails FreeBSD 15.1 and Service Jails for some or all services?

[Aknot]

We are testing Service Jails in FreeBSD 15.1.

Are there any advantages to run daemons in Service Jails, with no contact to the outside world, like MariaDB, Valkey etc?

/etc/rc.conf
apache24_svcj="YES" <==
apache24_enable="YES"
apache24_http_accept_enable="YES"
...
php_fpm_svcj="YES" <==
php_fpm_enable="YES"

# jls -v
   JID  Hostname                      Path
        Name                          State
        CPUSetID
        IP Address(es)
     1  srv09                         /
        svcj-apache24                 ACTIVE
        3
     2  srv09                         /
        svcj-php_fpm                  ACTIVE
        5

 

[rhbsd]

Putting services into service jails has a lot of advantages.
First of all, you would not expose your internal services like database services to the wild of the public internet. These services are highly attractive to malicious actors and there is no reason to let them listen on the public IP of your host.
Another advantage is, if your service is compromised such as through a zero-day exploit on your web service software, the malicous attacker is restricted to your jail. So the impact of a successful attack is restricted to the filesystem and running processes of your jail.
There are many more advantages like using jails for reverse proxy and separating different webservices in jails, easy cloning, testing-jails and so on.