:\ It really is unfortunate that that setting is great for letting people run containers (and the like) without giving them root access... but also has a bad track record of then having vulnerabilities that allow root access.
I'm not a kernel developer so take with a grain of salt; what I've heard suggested is that it's not fundamentally bad and if we'd had it from day one it would be fine, but a lot of kernel interfaces were designed with the idea that only root could use them so they didn't worry about certain security matters as much. And maybe that was never ideal but it could even be reasonable; if only root can trigger a bug that gives you root access... it's not good because it could be used to work around other restrictions, but one can imagine that it wouldn't exactly be a priority. But then what actually happened is that very late in the game we got this new feature that allows any old user to access these less-protected interfaces, and that's resulted in a certain amount of... catching up.
