Containers can be entirely without anything. Some containers only contain the binary that gets executed. But many containers do contain pretty much a full distribution, but I have yet to see a container with a password hash in its /etc/shadow file…
So while the container has a root account, it doesn’t have any login at all, no password, no ssh key, nothing.
Sure, there’s also the scratch image, which is entirely empty… So if your app is just a single statically linked binary, your entire container contents can be a single binary.
The busybox image is also more barebones than alpine, but still has a couple of basic tools.