Since the author of this post is making efforts to bind mount specific directories, is that still a legit risk? root inside the container isn’t essentially the same root on host. But yes, UID and GID mappings along with user namespacing will be better.
But you have to be root outside of the container to run Docker. Which means the author has to run every single little command as root. That violates the principle of least privilege, increases the potential damage caused by bugs or mistakes, and therefore is a very legit risk.
Also notice how the shell snippets in the article doesn't use sudo to run docker. That indicates that the author probably added their user to the docker group, which is equivalent to always logging in as root. That's terrible, terrible security practice.
I can't agree that root inside the container is different from root on the host, either. The kernel makes no such distinction unless user namespacing is enabled. When containerized processes gain access to host resources, whether intentional or not, they'll have the same level of access as root on the host.
