

If Cloudflare wants to operate in a jurisdiction it has to follow its laws. They can fight them in court, but if a court orders them to do something they’ll likely comply in some way or another.
E.g. UK wanted a backdoor in E2EE iCloud, so Apple disabled E2EE in the UK.
It’s mostly to allow the reverse proxy on localhost to connect to the container/service, while blocking all other hosts/IPs.
This is especially important when using docker as it messes with iptables and can circumvent firewall like e.g. ufw.
You’re right that it doesn’t increase security on case of a compromised container. It’s just about outside connections.