I once suggested to the sfdroid guys that they containerise using namespaces but I don't know whether they implemented it in the end. I stumbled onto a promising alternative the other day called Anbox. It uses LXC so network namespaces should be fully configurable with firewall rules.