docker-in-docker has some stability issues.
--privileged basically makes root in your container be full root on the host. it can manage kernel params, it has all capabilities, etc.
See https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/ for more information.
I, personally, don’t have a problem with using the docker socket to run processes on a host. I’ve scripted commands to be run on hosts using ssh or chef for years. As long as I take the same precautions and considerations as I do for any other root level scripting, I don’t think it’s a terrible idea.
I am more inclined to set up TLS and use a remote docker host in my scripting rather than mount the docker socket. That lets my dockerized processes manage some other docker host that might be in a DMZ or have other security measures taken.
In some cases, such as when running jwilder/nginx-proxy, you have to have something that can talk to docker to get the events stream. I like running my processes containerized, so running docker-gen in a container seems like a natural fit. Using their “Separate Containers” approach is sane.