This only works if you trust all your docker images and audit them for root processes. Even then you still have setuid binaries and other privilege escalation risks, if you inherit from dockerhub images etc.