There was a CVE in February [0][1] that escaped out of Docker's default settings. runc has a few of these over the last few years, it isn't inconceivable that there are more to be found.
Docker does do a decent job of setting some sensible defaults - but it isn't a security sandbox and they don't market it as such.