rootprivileges unless you opt-in to Rootless mode (experimental), and you should therefore be aware of some important details.
/hostdirectory is the
/directory on your host; and the container can alter your host filesystem without any restriction.
docker load, or from the network with
docker pull. As of Docker 1.3.2, images are now extracted in a chrooted subprocess on Linux/Unix platforms, being the first-step in a wider effort toward privilege separation. As of Docker 1.10.0, all images are stored and accessed by the cryptographic checksums of their contents, limiting the possibility of an attacker causing a collision with an existing image.