The session-deduplicator only touches files under /mnt/docker-aio-config/session/, which is already owned by www-data, so running it as root grants more privilege than it needs. Dropping to www-data reduces the number of root-owned processes in the mastercontainer and follows least-privilege for the supervisord program set.
c6748dc450