This is wrong. Running root processes in Docker are far from safe. If the container is compromised, the root user can do anything, because root in the container is also root on the host. This is the reason why Docker 1.10 introduced user namespaces https://success.docker.com/Datacenter/Apply/Introduction_to_User_Namespaces_in_Docker_Engine