[zbentley]

Transitive deps, not steps.

Random examples off the top of my head: Puppet has a ton of transitive Ruby libraries and config files/caches that it leaves around; Terraform leaves some very big provider caches on the system; plan or output files, if generated and not cleaned up, can contain secrets; even the “control group” of the status quo with RUN instructions often results in package manager indexes and caches being left in images.

Those are all technically user error (hence why I called them footguns rather than defects), but they add up and are easy mistakes to make.