I definitly think it should be chroot, and preferably a section (at least for linux) on adding the grsecurity patches to your kernel to make defeating a chroot even harder.
This is yet another reason to not use RH6.2 as a standard install. Also, I am working on some iptables rules which will help as well.