He said "but your containers are not running as root".
That is objectively false.
uid = 0 is "privileged" basically everywhere in the kernel, from filesystem management (reading a file bindmounted in that's owned by root e.g.) to binding to low ports (like 80).
As you can see from the docs, it says "the most important security improvement is that, by default, container processes running as the root user will have expected administrative privilege (with some restrictions) inside the container but will effectively be mapped to an unprivileged uid on the host."
This implies the reverse, that if you don't use userns then your process as root in the container will be mapped to a privilege uid on the host.
This is all I'm saying is true. You clearly don't understand what I'm saying.
That is objectively false.
uid = 0 is "privileged" basically everywhere in the kernel, from filesystem management (reading a file bindmounted in that's owned by root e.g.) to binding to low ports (like 80).