service/ci.md

@@ -384,7 +384,9 @@ inconsistent at best, see [this other MR](https://gitlab.com/gitlab-org/gitlab-r
 We are considering [podman](https://podman.io/) for running containers more securely:
 because they can run containers "rootless" (without running as root on
 the host), they are generally thought to be better immune against
-container escapes. See [those instructions](https://github.com/jonasbb/podman-gitlab-runner)
+container escapes. See [those instructions](https://github.com/jonasbb/podman-gitlab-runner). Do note that custom
+executors have limitations that the default Docker executor do not,
+see for example the [lack of ENTRYPOINT support](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27301).
 
 This could also possibly make it easier to build containers inside
 GitLab CI, which would otherwise require docker-in-docker (DinD),