Just as there could be malicious code inside Traefik/Portainer/whatever that would abuse the docker socket, there could be malicious code inside Tecnativa that would abuse the docker socket.

That’s the wrong approach.

Have you found any malicious code? Simply stating the possibility, based on unwarranted paranoia, seems counterintuitive.

The more interesting question would be what you are doing that would justify this level of scrutiny.