You should be able to grant access to the pool from inside an lxc container; that’s functionality Allen Jude and company provided for a client a year or two ago IIRC.
Ability to safely replicate to or from an untrusted system is already available in syncoid, really–it’s the setup work that isn’t, and that’s more of a how to than a write a tool kind of thing.
Essentially the target just needs to create a parent dataset for the source to replicate to, and provide the source a set of user credentials which have ZFS delegated privileges sufficient to replicate in. A quota can also be set on this parent dataset, to restrict the total space available to the source.
Once that’s done, the source just pushes backups to the target, from an already-encrypted dataset, using raw send. The target can receive replication just fine, but cannot itself decrypt the data it receives.
Further reading: Improving Replication Security With OpenZFS Delegation | Klara Inc