Unfortunately many use cases require some kind of privileges inside the container, starting with privilege drop itself when running a daemon that requires different levels of privilege for listening on a port, writing to logs or serving requests.
User namespaces offer useful features and can hopefully be combined with fine-tuned caps and seccomp to "safely" offer "root" inside the container.
@x_cli We should obviously not. But services who rent containers as full-featured "VPS" want their tenant to be able to run.. Apache for instance. This either requires to fine-tune a user namespace and capability assignment so that the container can have a namespaced root user, listen on a privileged port, then setuid to a less privileged user ; or to provide basic unrestricted root access in the container. Guess what happens most of the time :)
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!