In terms of security best practices for containerization, why is it considered a bad practice to omit the USER directive in a Dockerfile?

Omitting the USER directive leaves the container’s processes running as root inside the container. In Docker, if user namespaces are enabled, that container root is mapped to a non-privileged host user, so the host’s user namespace handles the privileges rather than the container enforcing a non-root user inside itself. This means the security behavior depends on how the host’s namespaces are configured, which is why this option points to relying on the host’s user namespace for isolation when you skip explicit non-root execution inside the container. It’s not about build failures or package installation, and in environments without user namespaces this would indeed run as root, but the key point is the reliance on the host’s namespace mapping rather than an explicit non-root user inside the container.