[_0w8t]

From security point of view there is little practical differences. The container can still communicate with docker normally and trivially become a root on the host. What it prevents is altering ownership and permissions of the socket.

[jjn2009]

Ah okay so thats why I see people using read only mount on a docker socket. that makes sense. Some how I never thought of that implication I was just thinking about how in the world a file descriptor permission would effect the http traffic as it travels over the socket, but obviously it doesn't.