It would be handy if health checks would have an --external flag which would result in the check being run by the host. If the host has curl, one wouldn’t have to extend minimal images that might have removed sh, apt-get etc…
Maybe convoluted but there could be a monitoring image that could do the curl for you and call the docker daemon to terminate and restart the container if the healthcheck fails.
However, I am personally on the side the the container should be able to check itself because it is the one that knows about itself more than anyone else.
Yes, the -external should be the not-default option. An external health check would also have the advantage of being able to check that you have mapped the exposed ports correctly.