Clarify both layers: "USER in the Dockerfile sets who runs inside the container. Rootless Docker sets who runs the daemon on the host. You want both — non-root in the container AND a rootless daemon — for maximum isolation."
Rootless Docker runs the Docker daemon itself as a non-root user on the host, using user namespaces to map container root to an unprivileged host user. This is different from USER in a Dockerfile, which sets the in-container user but still requires a root-owned daemon. Rootless Docker provides defence in depth: even if an attacker escapes the container, they land as an unprivileged user on the host. Trade-offs: some features are limited (no privileged ports below 1024 without workarounds, no AppArmor, limited storage drivers), and networking uses slirp4netns or pasta which can be slower. Strong candidates discuss: the difference between rootless mode and userns-remap, Podman as a rootless-by-default alternative, when rootless is mandatory (compliance, multi-tenant environments), and the performance implications for networking and storage.
Advanced security question. Candidates who think a non-root USER directive is sufficient do not understand container escapes. Those who understand rootless mode and can articulate the trade-offs demonstrate deep container security knowledge.