What is "entire system" here? I'd run something like that in a VM, so the "entire system" would be nothing but the app itself.

If there is a RCE vuln in the app, your users are just as unsafe if it's running as root on the host or if it's running as nobody in a container. The valuable data is all inside.