Docker group membership is more dangerous than sudo

The Docker daemon has setUID root, and by design allows easy access as root to the host filesystem. This makes it trivial for a malicious user to read and alter sensitive system files, or for a careless user to allow a malicious containerized app to do so. Access to Docker commands effectively grants full root power.

Also, Docker doesn’t have any equivalent to sudo’s password check, which means that a successful arbitrary-code-execution exploit against a user who is in the docker group effectively grants the attacker root. Thus, the safer choice is to never add a user account — even your own — to the docker group, so that Docker commands can only be used via sudo.

就是说加入了 docker 组的用户很容易取得 root 权限啦(并且不需要任何验证)。
并没有什么可以做的安全性设置(除非你去搞 rootless docker)。