That'd be an unusual setup. If you have users deploying containers on your host -- that you trust enough to run whatever containers, but don't want to give them ssh to the host -- you'd usually have some kind of frontend such as Portioner, where you can have container exec and such.

Containerization is not virtualization. It's very possible to break out of containers, especially if configured badly, or if there are any found exploits in the container engine or even the kernel. Containers are "good enough" for the majority of projects, but it has never been designed to be a truly hardened sandbox.

Basically, if you're running an OpenSSH server inside a container, it's likely that you've gotten the wrong ideas about securing your environment, and thus some old libraries in an old Debian image is the least of your worries.