LXD container images don't include a kernel, so even running full-upgrade (aka dist-upgrade) will not install a kernel.

The actual different between the two is that a "safe" upgrade (apt upgrade) will only upgrade existing package but will NOT install any new package in order to satisfy the upgrade. Instead any package which requires a new package to be installed to be upgraded will be held back.

A full upgrade (or dist upgrade) instead does allow for upgrading packages that introduce new dependencies. The most common case of this is indeed the kernel meta package pointing to a new set of kernel binary packages, but it's just one of the examples of that policy. We've seen similar changes to other packages where one of their updates ended up splitting some component out in their own package, causing a new package to be installed on upgrade and therefore requiring a full/dist upgrade.

My policy in general is to always do full upgrades and look at the output. A full upgrade does have the potential to cause apt to solve a package conflict by removing something from you system, so you want to make sure that the upgrade doesn't involve any package removal that you're not fine with. On a stable Ubuntu/Debian release, those kind of removals should never happen (by policy) so if they do, it's usually some kind of packaging bug that'll be corrected shortly.

The main exception is if you work for a government or other environment where every new package being installed must be cleared by some third party (audited or the like), in that case, a safe-upgrade (apt upgrade) will always be fine whereas a full upgrade (dist-upgrade) may required some additional paperwork.

Closing the issue because none of the images we publish for LXD include a kernel, so the original premise of this question doesn't make sense. The comment above should do an okay job at explaining what the two upgrade modes actually mean at the apt resolver layer.