Are most developers aware that "ufw default deny incoming" does not work unless using host networking, or unless we modify the docker daemon or IP tables directly?
Also, with the simplicity of ufw, do folks take the time to learn how to work with ip tables? I was bitten by this twice when hosting small dev stuff like mongodb, redis and nfs - often accessed in trusted networks without authentication - where after locking down ufw I'd get a notice from the cloud provider (DO, Hetzner) a few days later telling me which port I had open. After debugging and ending up here (https://github.com/docker/for-linux/issues/690). First time I made a mental note. Second time I finally wrote it down. Its really not obvious.
If you host on your own infrastructure, or AWS, I don't think you get a notice, so docker-compose up can be really dangerous.
I guess I would like your comments on whether this is a probable cause of many breaches and whether there is some responsibility (technical, not legal) on docker to properly document this behavior and probably fix.