Is this really true, unless you start container with `--privileged`? Incidentally, I just read plan for better security defaults to avoid `--privileged` (which is not default, AFAIK) on lwn: https://lwn.net/Articles/755238/
1) an exploit in the kernel,
2) optimistic configuration that allows host access, or
3) a volume mount that exposes something vulnerable like the host root or docker socket.
The quoted article was talking about running within the container as a different user, so I think with context what the article was saying is that _if_ there is a container breakout it's much worse when running root within the container.
It's possible to remap UIDs such that root in namespace X has UID=12340, and when root gets out of X, then he's nobody.