Comment 2 for bug 1584230

If you've got a distribution in a container with a vulnerable setuid-root executable it could be abused by an unprivileged user on the host to get real root on the system. So the filesystem storage is restricted to prevent untrusted users access. (Or, it _should_ be, we did a whole CVE dance for this once, right?)

The zfs iamge cannot be used for the same purpose so it does not need stricter permissions for this reason.

Thanks