I actually don't know who is misunderstanding who here. I work with containers daily and this is how I understand this situation:

The runner (trusted code) is tasked with taking job specifications from the user (untrusted code) and running them in isolated environments. Correct?

The runner is in a container with a mounted docker socket. It sends a /containers/create request to the socket. It passes a base image, some resource limits and maybe a directory mount for the checked out repository (untrusted code). The code could alternatively be copied instead of mounted. Correct?

The new container is created by dockerd without the socket mounted, because that wasn't specified by the runner ("Volumes": [] or maybe ["/whatever/user/repo/:/repo/"]). Correct?

The untrusted code is now executed inside that container. Because the container was created with no special mounts or privileges, it is as isolated as if it was created manually with docker run. Correct?

The job finishes executing, the runner uses the socket to collect the logs and artifacts, then it destroys the container. Correct?

So please tell me how you think untrusted code could get access to the socket here?