There are two ways with the standard container shipped from us:
use cap_net_bind_service
as documented here: https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports
allow binding of privileged ports for non-privileged accounts
echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf
However, this allows also unprivileged users to bind privileged ports. Only do so when you understand the security implications!
Since grommunio (has to) operate on privileged ports (HTTP, HTTPS, SMTP, IMAP, etc.), there is no simple non-privileged start and you're good with it. However, this is nothing to be "afraid" of in the classic "container" way of thinking, since all services (such as grommunio's services, nginx, postfix, etc.) are designed by default to be very secure and drop privileges after binding to their ports.
Helm charts are underway for non-privileged deployments as well - these are in the works and being developed together with selected, very large hosting companies. The modular design of grommunio requires well-spec'd containers to enable limitless scale-out in deployments such as K8 and derivatives such as EKS. There are installations out there, however I kindly ask for understanding, that we're not just releasing them without necessary checks. This way we prevent any people putting data on something they might not understand by just using helm/swarm or alike.
Feel free to use the hints above, and if you use the builds provided by us, you can always (also later) get support in form of any of our subscriptions.