I discovered Docker requires Docker File Share of your /User/[user] directory. This exposes all your personal stuff in there to docker containers. A malicious package from there could copy all your keys, or anything else.
In ~/.lando/config.yml
I set home: /Users/[user]/projects/.home as a pseudo home for development and only put things in there that I want docker to be able to access. It still exposes select ssh keys to containers but those are limited to development keys for active projects, and not everything in my user directory.
In docker File Share config I only share:
- /Users/[user]/projects
- /Users/[user]/.lando
- /Users/[user]/.docker