runAsNonRoot is a validation check, not a user switch. It doesn't change which user the container runs as — it only rejects containers that would run as root. To actually change the user, you need runAsUser. The most common mistake is thinking runAsNonRoot forces a non-root UID automatically.
Official docs