I am not sure I fully understand the questions either, but rootless Docker means the user on behalf of which the Docker daemon is running becomes root inside the container. So if you see files originally owned by testuser suddenly owned by root that is because every process in the container “thinks” that user is the root. Any file that you create inside the container as root on a mounted filesystem will be saved on the host as testuser. Other files on the host that testuser doesn’t own will be shown in the container as owned by the user “nobody” with the group “nogroup”

It looks like you are mixing two solutions. You could use --user 1002:1002 with rootful docker, because root is alowed to run processes on behalf of another user. If you do it with rootless Docker, the real user id on the host would be something like 330423. I have just used a random number, I am not sure if it is valid. The point is that 1002 will be converted to a large number. Large enough so the ID most likely doesn’t belong to an existing username on the host. This way you are no longer root in the container and you don’t even have permission to change files on the host owned by testuser with UID 1002.

If you want to run rootless Docker and still allow for example www-data (usually UID 33) to be able to read and write files you need to figure out the userid on the host. You can create a folder writable by everyone, start the container, create the file in the container as www-data and check the ownership of the file on the host.

Or you can check the content of /etc/subuid. Here is mine on a test virtual machine where the user is “ubuntu”:

cat /etc/subuid

ubuntu:100000:65536

The content means that UID 1 will actually be 100000 so UID 33 will be 100032 and the container will be allowed to use maximum 65536 UIDs.