Using the DockerPlugin with the defaults, the image is created with a WORKDIR of /opt/docker, and all the files under it are owned by demiourgos728. The user is not a system user because that's "best practice". But should the user have the ability to modify the application files?
I'm thinking that if there were an exploit to the application that allowed the user to chmod +w and modify the application files, malware could somehow use that to gain further permissions. I don't have a particular strategy in mind, just spitballing.
AFAIK the user has not the ability to change any files. This has been reported multiple times and it should be so. Usually people want to write log files. However for this use case you should mount external volumes or log to an external system.
Hope that helps Muki