Docker doesn’t, as far as I know, secure data in any direct sense. That is the job of the database and the app design. For example, if you’re storing passwords in plain text then Docker is not going to help you fix that.
The one area it can help is by layered networks. You can do this without Docker of course, but you’d need separate physical servers and networks. Docker lets you do it all on one machine.
The way I have mine configured is to have an SSL proxy container which is linked to the hosts http (80)and https (443) ports. These are the only access points from the host network.
I then create a pair of docker networks using the “docker network create” command, one called “web” and one called “db”.
All of my webserver containers have no ports exposed on the host network but are connected to the “web” docker network (either using --net on the run command or the network option in a docker-compose file).
The mariadb (same mysql) container runs on the db network.
If a web app needs database access then I simply connect that specific web server container to the db network.
The principle is simply defense in depth. An attacker would need to penetrate the proxy server to get to the web network and then penetrate one of the web servers before even getting the opportunity to look at penetrating the db.
Of course, none of this does anything to protect you from other db threats like sql injection attacks. These are simply the result of bad software design and there’s nothing that Docker can do to help you there.