It's not the worst thing in the world, because a competent administrator/infrastructure engineer who's comfortable with the underlying tools can account for this and mitigate it. That said, Docker markets consciously and directly to people who are not competent, with an undercurrent of "you don't need competent people to use this!". And, as in most computer-y cases, it's not the fault of the incompetent and the ignorant that they trust the providers of tools; implicit in actually providing them is that they are generally safe with the defaults that are given. Which in Docker's case they're emphatically not. That hurts people, and very little gets me saltier than hurting people unnecessarily.
(I haven't ruled out that it might be a lack of a culture of security, too, on the Docker team's part; there was that whole "oh, yeah, put desktop applications in Docker containers, never mind that now you're running Chrome as root and putting the unprivileged X socket in the container, letting it pump messages to any other application" thing from a Docker core contributor. Maybe they just don't know, themselves? Woof.)
(I haven't ruled out that it might be a lack of a culture of security, too, on the Docker team's part; there was that whole "oh, yeah, put desktop applications in Docker containers, never mind that now you're running Chrome as root and putting the unprivileged X socket in the container, letting it pump messages to any other application" thing from a Docker core contributor. Maybe they just don't know, themselves? Woof.)