I think you could be right there - I also remember some strange behaviour for relative paths in docker compose. But I think that was compose V1 (the Python-based tool).
I suppose compose V2 (golang-based) has since fixed it, as I have not had an issue in a long time. It's also possible to bind mount using $PWD so the absolute path is used anyway:
volumes:
- ${DATA_DIR:-${PWD}/data/transfer}:/data/transfer
As for security, I agree the risk is quite low for most use cases. Using a rootless daemon does reduce the potential attack surface however (if, like you say, a vulnerability is discovered), and isn't very complicated to configure, so I always default to that.
My other concern is using tools that by default run daemonless (rootless), like Podman. In theory a user could use the Central docker-compose.yml and run with Podman, but would be prevented from doing so with the current config.
EDIT looks like there is no need for $PWD, compose V2 supports resolving relative paths to absolute: https://github.com/compose-spec/compose-go/pull/332