If an attacker breaks out of the container, through a kernel bug, a runtime bug, a careless bind mount, or a misconfigured capability, they can land on the host as root. This is not hypothetical, we have well known examples, such as CVE-2025-9074.
If the same happened with a rootless container, the attacker would be able to act in the host system as well, but with an unprivileged user, limiting the scope and impact of their “expedition”.
This is not true. I have addressed this in my other comment here: https://programming.dev/post/51095402/24088470
TLDR: Kernel bugs from inside a rootless container still get root on the host. Podman wasn't effected due to more restricted default seccomp policy (controlling what syscalls can be used), but podman being rootless didn't actually help in the example of that recent CVE.