NAS: How to run it safer inside LXC?

Dear all,
up to now I run separate router (with its FW and its own bugs) and independent NAS (with different FW and different bugs). I considered that as safety feature.
Now, in case that Turris OS will be the only FW in place (and could potentially have a security bug), could somehow running a LXC container (with Debian?) and managing user accounts for NAS users inside LXC improve safety?
I.e., in case of infected T-OS, is it possible to prevent access from T-OS-root account to drive data?
Thanks for any proposal !

No, you cannot do that. If you must have that, try encrypted vm’s on server grade hardware

Hi again,
To justsomeguy: I do not consider my old setup (separate router, separate NAS, different FWs and different bugs) as server-grade…
On the other hand, blocking access to volume data for TOS can be implemented probably with less computation power than by data encryption: What to use in container a kind of filesystem that is unknown to TOS?
All readers - do you have any proposal? Thanks in advance!