On servers, yes, rootless doesn't make much sense. But on on my dev laptop, "sudo docker" is tiring and adding docker to the sudoers group is a big security hole (why does everyone seem to think that "docker run" giving root privileges is ok ?!).

This indeed. The Docker team should not include the "adding your user to the docker group"-section in the install documentation. It is very unsafe and even though they link to a document on security implications I don't think all users will truly grasp the implications.

Better to hide this feature and promote the rootless docker mode for local use. On servers you won't be adding any unprivileged user to the docker group in any case.

You should add yourself to the docker group...

which has the same effect, the docker group effectively has root access.

sudo usermod -aG docker $USER

this is not safer.

this is the same as:

%wheel ALL=(ALL) NOPASSWD: ALL

effectively disabling sudo completely.

This is the first I've heard about serious performance overhead from going rootless. Do you have any links with more info about it?

I haven't encountered any issues like this personally with rootless podman (although I'm not doing any large scale deployments).

What causes the file/networking performance degradation when running unprivileged containers ?

The filesystem performance degradation was resolved in kernel 5.11 which added support for rootless overlayfs.

The network performance is caused by slirp (usermode TCP/IP) but it is being resolved too : https://github.com/rootless-containers/bypass4netns

overlay2 or fuse-overlayfs?