Containers were never actually designed to be sandboxes, and inside you have access to many system calls and a comparatively huge surface area inside the kernel and userland, all written in C, with a long history of local root exploits due to C based bugs.
Because if you can get root in a container, you have root outside the container. While escaping a container isn’t exactly easy or always possible, it is a huge risk.