In Fabric, smart contracts, also known as chaincode, can be written in Go or JavaScript. The chaincodes must be installed on a peer and then explicitly initiated. When initiated, each code runs in a separate Docker container. The previous versions of chaincode also run in separate Docker containers.
The Docker container running the chaincode has access to the virtual network as well as the entire networking stack. If care is not taken in carefully reviewing the chaincode before it gets installed on the peer, and isolating the network access for that chaincode, it could result in a malicious or misconfigured node probing or attaching the peer attached to the same virtual network.
An operator can configure a policy to disable all outgoing or incoming network traffic on the chaincode Docker containers, except white-listed nodes.