Block Internet Access From Docker Container

It seems dangerous to allow users to configure their own container networks.

You seem to have a fundamental misapprehension about Docker: it's not meant, out of the box, to be a multi-user tool. Having access to Docker is equivalent to having root access on a host. If you want to provide some sort of multi-tenant container environment, you need to look at tools like Kubernetes that implement various access control mechanisms on top of some sort of container runtime.

Docker does have support for authorization plugins, so perhaps there is something you could implement using that feature.

Note that there are more secure alternatives: Podman has been providing rootless containers for a while, and even Docker now provides a rootless mode of operation.

These options eliminate the bulk of the security issues with Docker, but they have their own limitations (I haven't worked with rootless Docker, but I use Podman regularly and it's compatibility with docker-compose is only so-so).

Is there a way to eliminate internet capability from inside a container?

Sure, create a --internal network, and run your containers on that network:

$ docker network create --internal mynetwork $ docker run -it --rm --network mynetwork docker.io/alpine:latest sh 

You can't enforce use of this network, but you can certainly use it when deploying your own containers.

Also, as said in this Docker document docs.docker.com/network/bridge, that the default bridge network has its shortcomings and is not recommended for production use. This makes sense, however they do not offer a solution outside of configuring your own

The documentation describes how you can create additional bridge networks (or other sorts of networks) using the docker network create command. These networks do not suffer many of the limitations of the default bridge network (for example, Docker maintains DNS service on these networks so containers can refer to each other by name).