That seems to be what Synology is suggesting, and you’re right, this wouldn’t be the best configuration if security is the goal.

I mean unless specified otherwise most Synology container management dockers will run as root. With that said, if you want to secure things then there are guides.

An alternative path would be to setup a specific docker user and use docker compose to use that user when installing images
drfrankenstein.co.uk/step-2-setting-up-a-restrict…

Jellyfin example
drfrankenstein.co.uk/jellyfin-in-container-manage…

From there you could go further and use the guides above to create one user per docker image and give them different permissions depending on need.

Its not as egregious as you think. ‘Everyone’ group means every Synology user account - not that everyone on the network that can talk to the NAS, they’d still need both a Synology account and Shared folder permissions. Any Synology user trying to access those files would still have to have read and write access to the Share to actually access it (eg via file explorer SMB/CIFs or app-level access to Synology File Manager, or they would need to be granted SSH access to get in via terminal, etc) in order to R/w/m the files.

I know it’s a bit confusing, but it’s correct. Docker often causes confusion with file permissions. There are file-level permissions (this article) and there are share-level permissions. You need both to access folders and files via mapped drives / SMB, this setting is just to ensure that Docker containers which can be running as a variety of user names (depending on how you config docker and the container) don’t experience issues accessing files you’re expecting them to be able to access, as Synology says, the default Docker folder permission is for the ‘everyone’ group to have Read-only access. This should allow most Docker containers configs to at least run and then if you run into issues writing/modifying files… That’s a clue you have missed some file permission configuration settings that need to be done, and the only reason it’s running at all is because that default ‘everyone’ permission is saving your butt.