Rootless Docker-in-Docker with restricted privileged mode not working on SaaS runners

GitLab Runner recently added support for using rootless Docker-in-Docker with restricted privileged mode (cf. Docker executor | GitLab).

On my local runner this works fine, however, the GitLab.com SaaS runners do not work and fail directly after Executing "step_script" stage of the job script before executing any command of the script with:

Running with gitlab-runner 16.3.0~beta.108.g2b6048b4 (2b6048b4)
  on green-2.saas-linux-small-amd64.runners-manager.gitlab.com/default ns46NMmJ, system ID: s_85d7af184313
  feature flags: FF_USE_IMPROVED_URL_MASKING:true, FF_RESOLVE_FULL_TLS_CHAIN:false
Preparing the "docker+machine" executor 00:14
Using Docker executor with image docker:24.0 ...
Starting service docker:24.0-dind-rootless ...
Pulling docker image docker:24.0-dind-rootless ...
Using docker image sha256:3aec54f5c99190ff5482324d068a7f3cdef0238906a535942185d154448a2cf0 for docker:24.0-dind-rootless with digest docker@sha256:ab47009b1fb2eea9e733630366e9fc6a69907a5055e71ce5414ee1b8c9df9547 ...
Waiting for services to be up and running (timeout 30 seconds)...
Pulling docker image docker:24.0 ...
Using docker image sha256:3dac4bc5e37ce90fbf298b793ad8b78828ec645c6bd46171160a864eb7ca65ab for docker:24.0 with digest docker@sha256:e23ecf98b779c5e927622d69f4656c471b400d822f453891b72f51c3dc6b1fbf ...
Preparing environment 00:00
Running on runner-ns46nmmj-project-20038732-concurrent-0 via runner-ns46nmmj-s-l-s-amd64-1697702628-fcf46dec...
Getting source from Git repository 00:02
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/mrtux/project/.git/
Created fresh repository.
Checking out e5caa33c as detached HEAD (ref is tstmaster)...
Skipping Git submodules setup
$ git remote set-url origin "${CI_REPOSITORY_URL}"
Executing "step_script" stage of the job script 00:00
Using docker image sha256:3dac4bc5e37ce90fbf298b793ad8b78828ec645c6bd46171160a864eb7ca65ab for docker:24.0 with digest docker@sha256:e23ecf98b779c5e927622d69f4656c471b400d822f453891b72f51c3dc6b1fbf ...
Cleaning up project directory and file based variables 00:00
ERROR: Job failed (system failure): Error response from daemon: Cannot link to a non running container: /runner-ns46nmmj-project-20038732-concurrent-0-f0c216a1f4263d21-docker-0 AS /runner-ns46nmmj-project-20038732-concurrent-0-f0c216a1f4263d21-build/docker (exec.go:78:0s)

I use the following .gitlab-ci.yml (based on Docker executor | GitLab):

variables:
  DOCKER_TLS_CERTDIR: ""

prepare-docker-image:
  needs: []
  cache: {}
  image: docker:24.0
  services:
    - name: docker:24.0-dind-rootless
      command: ["--tls=false"]
  script:
    - cd .gitlab-ci
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" "$CI_REGISTRY" --password-stdin
    - docker build --pull -t $CI_REGISTRY_IMAGE/maven:latest .
    - docker push $CI_REGISTRY_IMAGE/maven:latest

I don’t see any way to debug this on my own. Aren’t all containers (also the services) executed with privileged mode in GitLab.com?

How can I make it work on my local runner and also for forks who cannot use my runner on GitLab.com wth the provided SaaS runners?

My solution (not perfect), is to define a special environment variable environment = ["DIND_ROOTLESS=-rootless"] in my local runner configuration and to include this in the service -image

  services:
    - name: docker:24.0-dind$DIND_ROOTLESS
      command: ["--tls=false"]

This way, the $DIND_ROOTLESS on GitLab SaaS is empty and uses the normal dind image.