Docker containers run as “unprivileged” by default and thus are unable to execute most system and network administration operations. Docker privileged mode gives containers root access, which may not be optimal or secure for many workloads. With cap-add and cap-drop, you can specify the capabilities to add or drop for each container in a task definition. This gives you fine-grained controls to run containerized applications that require additional permissions without adding unnecessary security risks.