Most of this guidance can be checked over by anyone with basic competency in the field, and cross referenced against documentation - in general a lot of the guidance from government security agencies is focused on solid and robust design principles (isolating things, not reusing things, turning off specific functionality that exposes risky attack surfaces, being aware of unusual or non obvious defaults).
Not running containers as root is accepted by pretty much everyone I'm aware of as a 'good move. Same for building images carefully and preventing filesystem changes at runtime. Same goes for using sandboxing, syscall filtering etc.
This is a bit different from giving you a series of black box parameters and telling you to blindly rely on them. (And even then, DES being hardened against differential cryptography shows that's not always a bad thing, though more recent examples show the opposite can also happen).
Not running containers as root is accepted by pretty much everyone I'm aware of as a 'good move. Same for building images carefully and preventing filesystem changes at runtime. Same goes for using sandboxing, syscall filtering etc.
This is a bit different from giving you a series of black box parameters and telling you to blindly rely on them. (And even then, DES being hardened against differential cryptography shows that's not always a bad thing, though more recent examples show the opposite can also happen).