Fix a few typos in the ECI docs.

content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/config.md

@@ -47,7 +47,8 @@
           "docker.io/localstack/localstack:*",
           "docker.io/testcontainers/ryuk:*",
           "docker:cli"
-        ]
+        ],
+        "allowDerivedImages": true
       },
       "commandList": {
         "type": "deny",
@@ -119,9 +120,9 @@
 Docker Desktop checks if the container's image digest matches one of the allowed
 digests. If so, the container is allowed to start, otherwise it's blocked.
 
-Due to the digest comparison, it's not possible to bypass the Docker socket mount permissions by re-tagging a
-disallowed image to the name of an allowed one. In other words, if a user
-does:
+Due to the digest comparison, it's not possible to bypass the Docker socket
+mount permissions by re-tagging a disallowed image to the name of an allowed
+one. In other words, if a user does:
 
 ```console
 $ docker image rm <allowed_image>
@@ -135,7 +136,7 @@
 
 ### Docker Socket Mount Permissions for derived images
 
-{{ introduced desktop 4.34.0 "../../../../desktop/release-notes.md#4340" }}
+{{< introduced desktop 4.34.0 "../../../../desktop/release-notes.md#4340" >}}
 
 As described in the prior section, administrators can configure the list of container
 images that are allowed to mount the Docker socket via the `imageList`.
@@ -162,7 +163,7 @@
 ```json
 "imageList": {
   "images": [
-    "paketobuildpacks/builder:base",
+    "paketobuildpacks/builder:base"
   ],
   "allowDerivedImages": true
 }
@@ -173,12 +174,15 @@
 allow this because it will notice that the ephemeral image is derived from an
 allowed image.
 
-The behavior is enabled by default. It can be disabled by setting
-`allowDerivedImages=false` in the `admin-settings.json` file. In general it is
-not recommended that you disable this setting unless you know it won't be
-required.
+The behavior is disabled by default and must be explicitly enabled by setting
+`"allowDerivedImages": true` as shown above. In general it is recommended that
+you disable this setting unless you know it's required.
 
-A couple of caveats:
+A few caveats:
+
+* Setting `"allowedDerivedImages" :true` will impact the startup time of
+  containers by up to 1 extra second, as Docker Desktop needs to perform
+  some more checks on the container image.
 
 * The `allowDerivedImages` setting only applies to local-only images built from
   an allowed image. That is, the derived image must not be present in a remote
@@ -211,6 +215,10 @@
 }
 ```
 
+This tells Docker Desktop to allow all containers to mount the Docker socket
+which increases flexibility but reduces security. It also improves container
+startup time when using Enhanced Container Isolation.
+
 It is recommended that you use this only in scenarios where explicitly listing
 allowed container images is not flexible enough.