This is probably the best option without running Metricbeat as root, but you're absolutely right about the GID. On my system, the docker group is GID 999, so I can create a custom image with:
FROM docker.elastic.co/beats/metricbeat:5.3.1
USER root
RUN addgroup docker --gid 999 && \
usermod --append --group docker metricbeat
USER metricbeat
That magic number is a problem, though.
I also tried making the Docker socket world-readable, but that wasn't sufficient. I think that the library used by Metricbeat to do HTTP over Unix sockets is trying to open the socket read/write, even though you would expect read-only to be sufficient for Metricbeat's purposes.