The general expectation when running an application is that when you misconfigure your system, the firewall will at least block incoming traffic. If I run ./program, the system will prevent me from fucking up too badly, like it should if I docker run vendor/program, that extra layer of defence is gone.

Most programs still bind to 0.0.0.0 and that's not a problem if your firewall works the way you expect it to. Docker's firewall rules overriding UFW's firewall rules without notice is unexpected for many people.

I know I fell for this one years ago when I first messed around with Docker, luckily I wasn't running anything important.

Because people use docker-compose.yaml files verbatim, or copy docker run command lines, which more often than not do “-p 8000:8000”, instead of “-p 127.0.0.1:8000:8000”. Therein lies the issue.

What's the difference? Because the latter is your own device and the former still let's you connect to it.

I'm kinda sleepy, so I'm sure it's a stupid question.

Edit: 127.0.0.1 is only getting in and nobody else.

Sometimes you want to allow traffic only from specific public IPs, or to rate limit traffic.