... Okay, cool. Now why does Docker not do this by default? Likewise with seccomp restrictions, which are available on literally every kernel that supports Docker. "Security" is pointless if it's not automatic.