How is it ephemeral? My Docker instance for Lemmy logs forever unless I manually clear the logs. My Caddy reverse proxy logs every request too. Both are stored to disk and I’m free to copy them out at any time. They’ll keep increasing in size until I decide to clear them.
They’re logged through the Docker engine, not the container. A malicious actor would require a sophisticated container breakout attack to even attempt to clear them. Those attacks are rare and highly publicized.
Alternatively, an attacker could try to find my real instance IP from behind Cloudflare (probably not going to happen), somehow bypass my provider’s firewall which only allows SSH from my home IP (my home is more likely to be broken into than that), and then somehow defeat SSH authentication on top of both of those (quantum computers aren’t quite there yet).
I’m having trouble seeing the risk you’re concerned about.