The main thing I see you can avoid with locking down the docker images into a separate low user that can only access what they really need is if someone successfully attacks a project and you get infected with some shit when your Synology pulls image:latest.
It could limit the traversal of a ransomware that successfully breaks free of the container but ends up having no permissions outside as an example.
I would probably purge the whole NAS and setup from my backup for my own peace of mind even with the user separation though.