Using container features to limit access of a program to the broader machine (disk, network, other processes) seems like it would tend to be more secure than... not doing that. Right? It's not as if I'm exposing any docker remote-control-related stuff to the network.

No. What you are thinking about is sandboxing, which is not docker's main objective and can be done with many better tools like firejail.

docker adds its own daemon that creates additional attack surface that you would not have otherwise.