diff --git a/docker/l4-port-manager/Dockerfile b/docker/l4-port-manager/Dockerfile
index 7a535dbb..d4ed3177 100644
--- a/docker/l4-port-manager/Dockerfile
+++ b/docker/l4-port-manager/Dockerfile
@@ -6,7 +6,10 @@ RUN apk add --no-cache bash
 COPY docker/l4-port-manager/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
-RUN addgroup -g 1001 -S appgroup && adduser -u 1001 -S appuser -G appgroup
-USER appuser
+# Runs as root intentionally: this sidecar executes `docker compose` to
+# recreate the caddy container and writes status files to the shared
+# caddy-manager-data volume (owned by the web container's UID).
+# Access to the Docker API is scoped via the docker-socket-proxy service
+# which restricts to GET/POST on /containers/ and /compose/ only.
 
 ENTRYPOINT ["/entrypoint.sh"]