NFS access to containers/pods and permissions/security

Hi, not sure if this is the right place to post this or not, but I was reading through this article: https://docs.okd.io/latest/storage/persistent_storage/persistent-storage-nfs.html and had a question about NFS permissions and security for containers.

We're running kubernetes at our site (with a Rancher frontend), so I'm sure there are some differences in the setup, but I think the concept is the same.

In the scenario described on the page, it mentions using the supplementalgroups to get access to an NFS share that have permissions set on it. This does seem to work, but how would you restrict the users from launching any container with that group in it? What if you had users that shouldn't be in that group, they launch a container, add the group locally inside of the container, then suddenly have access to that area.

I guess my question is, how can we strictly enforce permissions on containers/pods that access NFS shares so that we can have a multi-tenant environment where some users have access to the share and some don't, and they cannot 'get' access through some other means?

I'm not even sure I'm asking the right question, but I have to start somewhere.
Thanks.