Running a container from dockerhub is basically the same as curl piping into bash.
Curl piping into bash will trivially steal all of your data at once.
Running a container from dockerhub is much safer, provided you do not give it privileges using --privileged or bind-mounting system files like docker control socket.
If your system is up to date and there are no docker 0-days active, the worst "docker run --rm -it RANDOM-CONTAINER" can do is to use too much resources -- your local secrets would be safe.
For non-automated builds just pull to a local machine and use something like portainer to have a look around.
And then review what it `FROM`s. And then review the core OS build that relies on.
It's a lot of work. It is doable, but it is a lot of work.
I just wanted to make the point that I don't think it's impossible :)
(Unless you explicitly expose ports or mount volumes or grant elevated kernel permissions.)
I can't think of safer way of running someone else's code, can you?
FreeBSD has jails and Solaris has zones, both of which were designed to be safe sandboxes for OS-level virtualization or "containerization" as it's called today. The consensus, as far as I can tell, is that these are pretty safe/strict, at least as far as "provide a safe environment to execute untrusted code" goes.
On Linux, resource control mechanisms like cgroups and namespaces have been co-opted to simulate secure sandboxes, but it's not the same as actually providing them.
I can't speak with authority on Docker security, but that's a data point, from the largest cloud provider in the world.
Edit: I'd like to be wrong about this. Maybe some brave downvoter could help out here?