Hi Gabriele,
Just to add to what Ayush and Bhasker said, yes, all syscalls are intercepted and handled by gVisor. gVisor uses some syscalls on the host for the implementation but none are passed through directly.
We don't have any docs on the syscalls used by gVisor on the host. This list is a bit dynamic based on what options you use (host networking enables more syscalls on the host for example).
We do have docs for syscalls supported by the gVisor sentry for applications running inside the sandbox. The docs describe the error messages that the Sentry will return (it may not always be ENOSYS).
These docs are automatically generated from source so they should be up to date.
In terms of performance, overhead in gVisor could be a number of things. Your workload does not sound syscall heavy so I would guess most differences between gVisor and the host might be I/O related (network or file system) or have some other cause. I think we would need a bit more info to know for sure.
Hope that helps!
Ian