In Linux, each process runs with a UID. Container processes (Docker, Podman, LXC, etc.) run as root, though they may run their containerized service as a non-root user, will still be running as root on their paravirtual host.
This means that, should they be able to leverage privilege escalation exploits or otherwise escape the container, they will end up with control of a process with UID 0 (root).
Non-root containers avoid this privilege escalation path for compromised container runtimes by running as non-root UIDs.