Answering my own question: it’s declared to be a volume. If you take out the VOLUME instruction, the chown takes effect. What’s more, if you declare the volume after running chown, the chown settings remain in effect.
This is the most restrictive and safest way I’ve found, as explained here for hypothetical ~/my/web/root/ directory for your web content: For each parent directory leading to your web root (e.g. ~/my, ~/my/web, ~/my/web/root): chmod go-rwx DIR (nobody other than owner can access content) chmod go+x DIR (to allow “users” including _www to “enter” the … Read more