I’ve found it out when I had a lucky streak with moby’s source code. Details answered here: https://stackoverflow.com/a/63219871

bottom line: order of cap add and drop is hardcoded (YAML doesn’t define any, thus same for CLI args), but varies depending on especially ALL. First matching case below terminates.

• container is privileged: true : ignore cap_add and cap_drop completely, return all available capabilities instead.
• both cap_add and cap_drop are empty : return the default Docker set of capabilities.
• cap_add contains ALL : return all capabilities minus the capabilities listed in cap_drop (ignores ALL in the latter).
• cap_drop contains ALL : return the capabilities from cap_add only, ignoring any Docker default capabilities.
• default: first drop all capabilites from the default set listed in cap_drop , then add the capabilities in cap_add , and finally return the result.