I read through No New Privileges and understand, that allowPrivilegeEscalation=false can be used to prevent child processes etc. from gaining more privileges.
How could a container elevate it's privileges?
Is allowPrivilegeEscalation only good for container exploitation scenarios, or is there any other way , how a container can gain more privileges?
I realized, that I had a misunderstanding.
If you call another binary within the container which has SUID or SGID set, the child process has more permissions, and the child process is able to perform root-level operations.
The privilege escalation is the invocation of the other binary.
So no container exploit is needed, since ressources already present in the container are used.