Istio init-container running as root with all capabilities

I see that for the injected sidecar we run as root user 0 and add the - NET_ADMIN capability.

Why don’t we add the NET_RAW capability also and drop the rest of the capabilities, such as: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip

securityContext:
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL

This is regards to the pod security policy as the policies are only at a pod level rather than a container level, so in order to have the istio init container with a pod security policy you need to allow all containers within a pod to run as root user 0?