"Protect the Docker daemon socket" this article may be unsafe?

as the article describe: all those certificates are signed by one CA.
if one docker host server controled by a hacker. the server-cert.pem,server-key.pem would be used for docker client certificate, then docker client can connect any docker host server.

am i right? or i miss something?