Secure gitlab-runner


I would like to use the docker executor without granting root permission. Indeed, as explained in documentation docker can be not safe.
So I need to forbid some unsecure command from continuous processes such as:

docker rm -f $(docker ps -a -q)

But in same time I would like to allow docker build, pull, push comands

How this is managed in your side ?
As example projects hosted on gitlab allow to run docker commands from continuous integration and seem to be safe .

Thanks for your insight

Best regards