[kentonv]

Docker aims to run arbitrary off-the-shelf Linux apps (and even entire distros) with no modification. Such apps are largely authored to work in traditional environments where security is fairly ad hoc and requires fiddly user configuration. Although in many cases it would not be hard to adapt them to a uniform security model, any such requirement would mean that Docker would only support apps that have been "ported" to that model, which would make it a very different kind of platform not suited for the same use cases.

For an example of the opposite approach, look at Sandstorm.io. It forces apps to conform to a strict platform-defined security model where things are isolated "by default" and from there the user can use friendly UI to grant permissions as necessary. This means that currently there are only some 30 apps available on Sandstorm but they are (or will be, when Sandstorm reaches 1.0) "secure by default", or at least much more so than other platforms could claim.

(Disclosure: I'm the lead developer of Sandstorm.)