Docker is literally just "download blobs and run them". Ever so helpful, Docker also silently turns off your system's firewall for you. Thanks, Docker!
That is true; and it's yet another layer to observe and secure. But it does provide a sandbox when configured properly. As an OSS maintainer of some images, I try to ensure that there are public build logs for auditors. As others noted, we are where web services were decades ago and we'll figure out better deployment models.
