Add `readOnlyRootFilesystem: true` and run with an explicit user.

[docwhat]

The container currently runs as root. If that is required, which I assume it is since it has privilege, then make it explicit and add a comment.

To help mitigate the potential damage if the container is pwned, use readOnlyRootFilesystem: true.