This needs more prominent documentation. Yes it's there, half way down the page, but it's effectively hidden in a "security speak" document. Most casual readers will see the first paragraph, and read it as "I see they thought of security -- they're running things in the own name spaces, containers are isolated" and stop there.

And not read the huge gaping hole -- anyone with privileges to run docker can bypass all other security policies and become root.

That belongs in the first paragraph as a strong warning. That may not sound as good to the readers -- but they need to know that granting membership to the docker group is essentially the same as sudo.

I could make a case that the default uid/gid for docker run be those of the user! But, no doubt many operational issues would arise. But still this should be considered.