You update your image, stop the container, start the container (with the new image). That's all.
You can create complex containers that could update with security fixes without restarting. But it is easier to update an image e.g. once per week/day and auto restart the containers.
I've been using portainer for managing a handful of basic containers on my home server (zoneminder, deluge, jellyfin, unifi controller). Overall I really like it, but some kind of feature to do this is probably the #1 thing I'm missing. It even lets you launch "stacks" from a compose file in a git repo, but doesn't have any facility to remember that info or do a redeploy, so you're basically starting from scratch every time:
I wonder about the underlying instance's OS, though... in the past, for home servers, I've set up cron jobs to get OS updates and reboot, but that seems wrong for a web server I'd like to be always up.
Maybe create a new instance, update the OS, install the app, switchover? Is there automation for this kind of thing?
You can create complex containers that could update with security fixes without restarting. But it is easier to update an image e.g. once per week/day and auto restart the containers.