How to secure uplink server?

Dear Anvil co-smiths,
I would like to ask about some tips how to secure a server running anvil uplink.
I am a hobbyist and have developed a quick app prototype that allows a friend to upload several image files, perform some conversions on them and return it as a zip file.

I check the file extensions, I validate the files that they are uncorrupted images, but what if someone tries to inject some malicious code and tries to take over the whole server?

Are there any recommendations on how to secure the linux server in case someone uploads a potentially malicious file? I heard using docker is a good start, but in case I learn about AppArmor or SELinux, would I have to secure just the python executable (i am using a venv environment)? or is there a lot more to consider?

There is a firewall rule in place that will only allow communication from Anvil. However, as soon as I got the idea of a malicious code crossed my thoughts, I cant get rid of it.

And I haven’t been able to find it in the forums, so I thought of asking out. Thanks a lot for any kind of input (or even directions where to look for cues).