From a security point of view, we currently run all containers with a default group of capabilities. It is my belief that a lot of these capabilities are present, because they were required for docker build and everyone has basically kept the list as the standard.
Since CRI-O runs containers in production and really does not build containers at this time, I believe admin could drop some of these capabilities and run a more secure system. If a system wanted to run something like buildah inside of a container, it could ask to have the missing capabilities added via the CRI.

I have a goal of dropping at least the mknod