IMO if they truly don't consider it dangerous then they shouldn't have considered it a vulnerability at all, just a non-security bug. Labeling it a moderate vuln and not paying just seems like a bad middle ground to me, as though they haven't really decided if restricted root permissions is part of the security model or not.

Eh, I’m guessing it’s just one of those bugs that have to be categorized as security, but the design assumes that this particular security layer is leaky and is only really there for the experience rather than actual security.

The container is almost certainly running with hypervisor isolation. The trust boundary is with the container. But an LLM is executing arbitrary code in a Jupyter notebook there. It could trash the container, which is not a security issue in itself (again since your boundary is hypervisor anyway) but it’s a pretty shitty experience. Suddenly copilot could trash its container and it no longer can execute code and you’re stuck until whatever session or health check kicks in to give you a new instance. So running LLM generated code/commands in a non-root user makes it easier to have a better experience.

At the same time, you’ll be laughed at if you don’t categorize a root escalation when not expected as a “not a security issue”