some general best practices should be considered:

• run python as a non-privileged user inside the container (ie, specify USER)
• verify that services like sshd and telnetd are not running inside the container
• ensure that un-needed packages are not in the base container
• verify no executables have setuid/setgid privileges (see below)
• update to the latest available base image (at the time of writing i believe that is python:3.8.1-slim-buster

To check for setuid/setgid privileges:

docker run <Image_ID> find / -perm /6000 -type f -exec ls -ld {} \; 2> /dev/null

Python 3.7 is still more widely supported, so rather than update to python:3.8.1-slim-buster, we could provide base python version as options in the model.yml.