Is this correct? A random user ID can delete a file owned by root?
docker run -ti -u 1001 debian:stretch
I have no name!@2af53be18a40:/$ rm -f /etc/passwd
I have no name!@2af53be18a40:/$ ls /etc/passwd
ls: cannot access '/etc/passwd': No such file or directory
I think this used to work (i.e. permission denied), although I haven't tried that exact sequence of commands in the past. The results above are from Docker version 1.12.2, build bb80604 running on Stretch.
Happy to report that this is fixed in Docker 1.23!