In the setup of Trusted Runners T295481 the idea came up to run the Docker executor on Trusted Runners with less privileges. This dedicated task is about running the Docker executor as non-root and with disabled sudo/dropped SETUID and SETGID capabilities (like the docs recommend for more security hardening).
This feature is not strictly needed to open Trusted Runners to the public but could enhance the security even more. Both the security improvements but also the added restrictions to CI jobs should be evaluated.
See also:
https://docs.gitlab.com/runner/security/#usage-of-docker-executor
https://docs.gitlab.com/runner/executors/docker.html
https://wikitech.wikimedia.org/wiki/GitLab/Gitlab_Runner/Security_Evaluation#Rootless_Docker_and_dropped_Docker_capabilities