In a Kubernetes environment, I suppose that the root user should not be allowed by default to mitigate the risk in case the host OS was accessed from inside a container. This setting should be done by writing in PodSecurityPolicy.
Considering this, I am just wondering: Why can we use the root user to run containers in public cloud Kubernetes services such as EKS, AKE and GKE? Do they have another layer of security measures to prevent containers from being compromised by attackers?