Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.
