The simplest way to reproduce this is:

$ docker run --rm -u 1000 php:apache
...
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
...

So, that led me to try this, but with the same result:

$ docker run --rm -u 1000 --cap-add NET_BIND_SERVICE php:apache
...
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
...

IMO, it seems reasonable to allow non-root to bind to privileged ports inside the container, especially since they have a private net namespace, so I was actually surprised this wasn't already taken care of. I'm also confused as to why the --cap-add didn't work, but maybe that's because it adds the cap to the whitelist of things to not remove, not necessarily adds it if it isn't there? I'm grasping at straws here.