(I’m reversing the order of my reply, addressing the “why” question first because it’ll make more sense.)
Perhaps you’ve got some really valuable poop? (For inquiring minds, look up “fecal transplant”. 
)
But more seriously, it really depends on the level of risk tolerance…
First, consider why some people have a safe/vault in their house if they always lock their exterior doors and windows?
As you already know, the general rule of thumb is to limit the number of network services running with root/admin privileges, helping to minimize the overall attack surface.
Nowadays it seems like not a week (or day) goes by without another breach related to a network service. By not running a service as root, if an intruder gets onto a system, it makes it harder to install a rootkit, move laterally to other servers, etc.
LXC is great and very robust, but it’s not bulletproof…
There have been successful privilege escalation attacks against LXC that allowed a user to escape the sandbox.
Under the hood, Docker uses the same cgroups kernel subsystem.
Back in 2019, Microsoft was using an older version of runc for its Docker service on its Azure platform. There was a vulnerability that allowed a customer to escape a Docker container to access a shell prompt on the host.
Because Docker Engine runs with root privileges, a second mistake allowed the user to grab an access token from the network traffic using tcpdump. That access token was used by Microsoft for its Kubernetes server in Azure, allowing the user to remotely manage Docker container instances belonging to other customers.
On a related note, a quote from Syncthing’s specifications page:
In addition the untrusted device must not be able to modify, remove or introduce data by itself without detection.