Most container security tools check the obvious stuff. Privileged mode, docker.sock, exposed namespaces. The attacks happening now are going after less-checked surfaces - GPU workload OCI hooks, kernel keyring material, eBPF syscall exposure, page cache write primitives.
Updated my container escape audit script to cover 35 vectors, including relevant CVEs.
This could be used by Pentesters or by DevSecOps.. The README covers just about everything now.