Docker has to run as root, or use otherwise insecure methods ("rootless" is a sham, it requires suid binaries and CVE ridden unprivileged user namespaces).

I agree with ports, working[0][1][2] on it.

[0] https://github.com/moby/moby/discussions/45524

[1] https://github.com/moby/moby/issues/45532

[2] https://github.com/moby/moby/pull/45076