My comment in the comment chain was:
An attacker escaping from a container can’t be system root as Podman runs rootless (without some other exploit or weak password).
We could give the op the benefit of the doubt and thinking that they were saying that the attacker inside the container managed to gain root inside the container.
Very true. The discussion helped me, as I did think it meant not easily editable.
As root of course you can change the system to be any other type of system (layer packages, rebase, whatever), but I did assume it meant not easily modifiable in it’s current state.