They're suggesting that the attacker is in a position to `docker run`. Any attacker in that position has privesc to root, trivially.

Rootless mode requires unprivileged user namespaces, disabled on almost any distribution because it's a huge security hole in and of itself.