What makes you think that this is not "the best practice"?
Then I'm not sure how you expect the X11 client applications to survive
the checkpoint and restore. And this would affect VNC the same way.
All X11 applications usually connect to the X11 server using unix domain
sockets (see /tmp/.X11-unix/. You could try switching them to TCP
sockets if that is better supported by the checkpoint code.
Please always try to provide details and in particular the specific
errors you encounter. "does not work" is not it.
This seems to be using regular displays with unix domain sockets.
So you will really need to clarify the problem(s) you encounter, and the
CRIU issues, if any, with the sockets.
Xpra is a client of the X11 server (Xdummy or Xvfb), so it will also
connect using unix domain sockets.
If it helps to use TCP sockets instead of unix domain sockets, then you
can try versions newer than this changeset:
https://xpra.org/trac/changeset/14729

And connect xpra to the X11 server using TCP.
Something like this (here for Fedora 25):

/usr/libexec/Xorg -noreset \
-nolisten unix -listen tcp \
+extension GLX +extension RANDR +extension RENDER \
-logfile /run/user/1000/xpra/Xorg.100.log \
-configdir /home/antoine/.xpra/xorg.conf.d \
-config /etc/xpra/xorg.conf :100 &
xpra start \
--bind=none --bind-tcp=0.0.0.0: \
--no-daemon --start=xterm \
--use-display 127.0.0.1:100
Not sure what you mean.
I don't see why that wouldn't work.

Cheers
Antoine

Hello,

I'm the author of a project called subuser.org which helps users install
and use GUI applications in Docker. We use XPRA, but we don't do CRIU
and don't plan on it either.

In my experience, there using XPRA with containers isn't bad practice,
I'm not sure where you heard that from. It works quite well actually.

In order to securely provide access to the X11 server, I have subuser
set up to use a 3 container per application approach which is described
here http://subuser.org/news/0.3.html#the-xpra-x11-bridge .

I presume you currently have it set up so that the XPRA server runs in
the same container as the GUI application? Is your trouble then that the
UNIX sockets INSIDE the container don't work? Aka the applications
connection to the xpra server via the /tmp/.X11-unix socket?

Or is the trouble with the socket that connects the xpra server to the
xpra client? If you're running into the former case then I think you
have no hope of using CRIU for anything usefull untill such a severe bug
is fixed :(. If it is the later, then I think we might be able to find
some workarounds, such as detaching the xpra client before freezing and
then reattaching it afterwards.