A non-root container runs its app as a non-zero UID inside the container; a rootless engine runs the whole runtime unprivileged on the host (root inside is remapped to an unprivileged host user). Dropping capabilities, a read-only rootfs, and removing the SA token are real hardening measures but not this distinction.
Official docs