Using root inside the container is fine, because the container has many privileges. It cannot access hardware or mount paths. This is essentially not a privileged user.
Installation of the application must be performed inside the container. Dockerfile that creates the image needs to install the application to start, and this happens inside the container. If you use a container to run a special application (e.g. php7) that is created using node, etc., the assembly container that performs the installation is the right way to isolate the application update and set the behavior from the host system.
In fact, nothing should run outside the container when deploying the application with Docker. Any cron scripts should run docker exec container script.sh or similarly to run periodic jobs inside the container, for example.
In general, if an application requires root privileges in order to do something like configuration-based update modules, I use docker-compose to install the build container, which does it all as root and then exits. I am using the cap-drop section for a real application container to remove as many features as possible.
Many applications require setuid or setgid to give up privileges - for example. nginx requires it to change from root to www-data:www-data . nginx will fail if it appears as a www-data user. The application should abandon these features after making the change itself.