There’s no way the model has access to that information, though.
Google’s important product must have proper scoped secret management, not just environment variables or similar.
Containers can be entirely without anything. Some containers only contain the binary that gets executed. But many containers do contain pretty much a full distribution, but I have yet to see a container with a password hash in its /etc/shadow file…
So while the container has a root account, it doesn’t have any login at all, no password, no ssh key, nothing.
The containers still run an OS, have proprietary application code on them, and have memory that probably contains other user’s data in it. Not saying it’s likely, but containers don’t really fix much in the way of gaining privileged access to steal information.
The OS in a container is usually pretty barebones though. Great containers usually use distroless base images. https://github.com/GoogleContainerTools/distroless
That’s why it’s containers… in containers
It’s like wearing 2 helmets. If 1 helmet is good, imagine the protection of 2 helmets!