I should clarify that the Docker image launches that gateway directly, no systemd involved (as is typical in most container images). The capabilities that a container gets when launched is controlled by the container runtime--see some info here. There isn't a way to "request" default capabilities within the OCI image definition that I'm aware of.