The Vault deployment in `vault.yaml` explicitly sets `runAsNonRoot: false` in the pod `securityContext`, causing the Vault container to run as UID 0 (root). https://gitlab.com/sylva-projects/sylva-core/-/blob/main/kustomize-units/vault/vault.yaml?ref_type=heads#L9-L10 For a secrets manager, this is a critical security misconfiguration.