From security point of view there is little practical differences. The container can still communicate with docker normally and trivially become a root on the host. What it prevents is altering ownership and permissions of the socket.
Ah okay so thats why I see people using read only mount on a docker socket. that makes sense. Some how I never thought of that implication I was just thinking about how in the world a file descriptor permission would effect the http traffic as it travels over the socket, but obviously it doesn't.
In thise case, you can't use a read only mount. The underlying protocol is HTTP, which means you must write a request to the socket to get a response. You can use read only mounts for `/proc` however, which just spits out data. I use it for titpetric/netdata for example.
This is wrong, I use read-only mounts for Unix sockets all the time. Such mount does not prevent reading-writing to the socket. What the read-only mount prevents is modification of meta-information for the socket file like changing ownership or permissions or ability to delete it.