For convenience, the default container images use the root user within the container. This permits simplified access to host resources including volume mounts and hardware devices under /dev/dri (for Vulkan support). But this can widen the attack surface to privilege escalation exploits.
Alternative images, tagged as non-root, are also available. For example, llama-swap:cpu-non-root uses the unprivileged app user by default. Depending on deployment requirements, additional configuration may be necessary to ensure that the container retains access to required hosts resources. This might entail customizing host filesystem permissions/ownership appropriately or injecting host group membership into the container.
Docker offers a system-wide option enabling user namespace remapping to accommodate situations were a root container user is required but also mentions that "The best way to prevent privilege-escalation attacks from within a container is to configure your container's applications to run as unprivileged users." Podman offers similar capability, per-container, to set UID/GID mapping in a new user namespace.
The Large Language Model (LLM/AI) ecosystem is rapidly evolving and serious security vulnerabilities have surfaced in the past. These alternative non-root images could reduce the impact of future unknown problems. However, proper planning and configuration is recommended to utilize them.