Unix systems usually provide chroot or jail mechanisms, which allow you to run subsystems isolated from the main system. So if a subsystem gets compromised, the whole system is still safe.

Section 23.3.5 includes a few references to articles discussing these mechanisms.