Privileged Containers
Normally, a container starts with limited access to the host and the kernel. This is a security feature. It isolates the container from the host.
When started as privileged, a container gets access close to the host itself.
DIND
DIND or "Docker in Docker" is a common use case for privileged containers. Here a Docker container runs its own Docker daemon. It can build and run other Docker containers.
Such DIND containers need many kernel capabilities. They create network interfaces, mount filesystems, and manage control groups. A docker container needs all of these.
The host docker daemon can't see the containers inside the DIND container. The DIND container has its own Docker daemon. The host daemon has no metadata about these containers.
When DIND creates containers, it makes them as siblings in the host. They aren't nested inside it. This is because Linux namespaces don't support nesting.