Do not use the --privileged flag or mount a Docker socket inside the container. The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the --privileged flag.
Do not run as root inside the container. Use a different user or user namespaces. The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups.
Drop all capabilities (--cap-drop=all) and enable only those that are required (--cap-add=...). Many of workloads don’t need any capabilities and adding them increases the scope of a potential attack.
Random thoughts on docker container escape and security in general: https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
All of those should be configured in Kubernetes; there's https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ as well.