I finally moved my homelab services off root-owned Docker and onto rootless Podman, mostly because I was tired of explaining to myself why a media indexer needed a daemon running as uid 0. The short version: it works, and the two things that bit me were user namespaces and lingering.
Rootless containers map your user into a range of subordinate uids, so the container's "root" is really you, and its uid 100 is some number up in the 100000s. That's the whole security story, and it's a good one. It also means /etc/subuid and /etc/subgid actually have to grant you a big enough range, and a bind-mounted volume owned by the wrong subuid will give you permission denials that look nothing like a permissions problem. podman unshare chown -R 0:0 ./data sorted most of mine.
The other one was services dying when I logged out. A rootless container runs under your systemd user session, and by default that session gets torn down when your last login closes. loginctl enable-linger $USER keeps it alive, and after that systemctl --user and podman generate systemd (or a Quadlet, if you're on a recent enough Podman) behave exactly like proper services.
Was it worth it? Yes. Nothing in that stack needs root, and now nothing in it has root. The mind remains, mostly, intact.