Only if you run with no isolation / user namespace. And even without that, you need to run with `--privileged` to get access to interesting capabilities. It's not as simple as container root == host root.
Are user namespaces enabled by default, or are they something that you have to enable and then spend time dealing with all the containers that weren't written with them in mind?