Docker can run in ZFS backed containers but will use the very slow and inefficient vfs backend rather than the much much faster overlay2 backend.
That’s why we usually recommend at least putting /var/lib/docker on a non-zfs pool.
The two security.syscalls.intercept are similarly related to the use of overlay2, so in your case you on ZFS with the slow vfs backend, you don’t need them, but when switching to overlay2, some layers will require them and would otherwise fail to unpack with odd errors.
(I’m no Docker expert, but it looks like the vfs backend simply takes every layers, stores them raw to disk and then for every single Docker container you create will read them back, compute the full layered filesystem and write it for that one container. So if you ever re-create your container or run more than one of them, you can expect a lot of CPU and disk usage that you wouldn’t have on overlay2.)