After a lot of struggling I think I found a suitable work-around.

First off you should not be using the /workspace directory. There is a discussion on Github about this https://github.com/buildpacks/community/discussions/229

Using a top level directory as mentioned above it the better approach, however as soon as you mount a volume on that directory it's permissions change to root:root and this has been the default for compose since forever (2016?) https://github.com/docker/compose/issues/3270

This medium article helped with the solution https://pratikpc.medium.com/use-docker-compose-named-volumes-as-non-root-within-your-containers-1911eb30f731 and I just tweaked it a bit to work for me. You basically setup a second service that runs as root on startup and changes ownership of the directory in the volume to the cnb user.

Here is the compose file I ended up with:

services:

  # Fix Ownership of Build Directory
  # Thanks to Bug in Docker itself we need to use steps like this
  # Because by default, the volume directory is owned by Root
  change-vol-ownership:
    # We can use any image we want as long as we can chown
    # Busybox is a good choice
    # as it is small and has the required tools
    image: busybox:latest
    # Need a user priviliged enough to chown
    user: "root"
    # Specify the group ID of the CNB user in question (default is 1000)
    group_add:
      - '${GROUP_ID}'
    # The volume to chown and bind it to container directory /data
    volumes:
      - my-volume:/data
    # Finally change ownership to the cnb user 1002:1000
    command: chown -R ${USER_ID}:${GROUP_ID} /data

  spring-boot-app:
    image: my-image:latest
    restart: unless-stopped
    volumes:
      - my-volume:/data
    user: "${USER_ID}:${GROUP_ID}"
    depends_on:
      change-vol-ownership:
        # Wait for the ownership to change
        condition: service_completed_successfully