@robb No doubt that a VM or even better as @Andy_Wismer stated, bare metal are the easier and obvious options. This was more about can I do this, than something that had to happen to power my network today or even next week. Everything including threat shield, IPS and fail2ban working over my short trial. still only using 300 MiB with everything up. Have to see if the VLans i create on each interface work and connect as expected.
@Andy_Wismer FYI, in case this helps you in the future I happened to see that you can change a LXC from privileged to unprivileged and vice versa. Not via GUI though.
It is possible to convert an existing CT into an unprivileged CT by doing a backup, then a restore on console:
pct restore 1234 var/lib/vz/dump/vzdump-lxc-1234-2016_03_02-02_31_03.tar.gz -ignore-unpack-errors 1 -unprivileged