But then you're adding even more parties to trust as it's often the case that Docker images are not provided by the same people that are maintaining the project.
Fair point, but I haven't hit it in practice. Tons of services are embracing docker as a first-class output. I just checked and I run exactly 2 images that are from a third party.
As far as I understand 'below' the application layer there is usually a basic image (like alpine) in docker? Do these first parties maintain these as well? If not the trust chain just got longer.
I would call myself at least somewhat technically capable. But I actually never grasped docker beyond the 'I can pack an image and deploy it to AWS' stage so that I can access an internal tool I built at work over the internet.
I was not really understanding what I was doing and was more or less blindly following some tutorials on the net.
When building and deploying things to the shared hosting environment I use privately I have a better (albeit far from perfect) understanding of what I am doing while I know that I am trusting the underlying infrastructure and the people behind that.