They would need a vulnerability in containerd or the kernel to escape the sandbox and being root in the sandbox would give them more leeway to exploit that vulnerability.
But if they do have a vulnerability and manage to escape the sandbox then they will be root on your host.
Running your processes as an unprivileged user inside your containers reduces the possibility of escaping the sandbox, running your containers themselves as un unprivileged user (rootless podman or docker for example) reduces the attack surface when they manage to escape the sandbox.
Without sudo privileges the worst they can do is nuke their own home directory, nothing else because that's the only path where they have write access.
On my phone running LineageOS 18.1 (Android 11) I have the following on/off options for every app: Allow network access, Wi-Fi data, Mobile data, Background data, VPN data, Unrestricted data usage (even when data saver is on)
I use CAPSLOCK as my fn key, it's right under my pinky, no need to move my hand. On my second layer I have arrow keys set on hjkl so in programs that don't support vim key bindings I can use them without moving my hand from the home row.
This is a more efficient way to use the arrow keys compared to a standard keyboard where you have to move your hand out of the home row.
Prices in France are TTC (Toutes Taxes Comprises, all taxes included), the VAT in France is 20% so if you take 20% off 1400€ you end up with 1159€ which is $1370. So in the end the MBP is a bit cheaper in France than in the US.
But if they do have a vulnerability and manage to escape the sandbox then they will be root on your host.
Running your processes as an unprivileged user inside your containers reduces the possibility of escaping the sandbox, running your containers themselves as un unprivileged user (rootless podman or docker for example) reduces the attack surface when they manage to escape the sandbox.