Docker bind to a project folder (common for development) allows the image to take over the shell. Taking over the shell allows taking over the package manager. That allows taking over the system.
I keep spreadsheets in project folders. Allowing full writes to a project folder allows taking over the shell. See above.
Folder-level permissions are not sufficient. Sorry, I shortened it too much, but basically - there's almost no practical difference between allowing writes to a dev project folder and allowing writes everywhere. (It would stop some really trivial attempts) Your actual system folders are safe of course... but who cares about those really?
..and, office?! Do you keep spreadsheets in system folders?