ClamAV in a container: one centralized, hardened, RAM-frugal clamd
Consolidate several clamd instances into a single containerized ClamAV engine (Podman/Quadlet), non-root, exposed over a group-restricted unix socket, sharing the host's signatures — without wasting memory.