Nixos container private/encrypted filesystem

When using a nixos container, there is shared filesystem by guest and host:
Is it possible to make all filesystem only accessible by the guest. Or do you need a vm for such connections.

I would manually start and unencrypt/login the container.

I’ve used vm’s but I don’t have container experience.

There is not an option to enable and get /var/lib (or /run if ephemeral) encrypted as a separate fs, but I suppose one could make a partition in the host, encrypt it with LUKS, and then mount it into /var/lib or /run so the container start from there