diff --git a/.docker/Dockerfile-alpine b/.docker/Dockerfile-alpine
index 075a1a75328..1cc14658cac 100644
--- a/.docker/Dockerfile-alpine
+++ b/.docker/Dockerfile-alpine
@@ -1,22 +1,29 @@
 FROM alpine:3.20
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D -H -s /bin/nologin && \
-    apk upgrade --no-cache && \
+RUN <<HEREDOC
+    apk upgrade --no-cache
     apk add --no-cache --upgrade ca-certificates
 
-COPY hydra /usr/bin/hydra
-
-# set up nsswitch.conf for Go's "netgo" implementation
-# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
-RUN echo 'hosts: files dns' > /etc/nsswitch.conf
+    # Add a user/group for Ory with a stable UID + GID:
+    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+      --gecos "Ory User" \
+      --home /home/ory \
+      --ingroup ory \
+      --shell /sbin/nologin \
+      ory
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite && \
-    chown ory:ory /var/lib/sqlite
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    # - Path may be a default value somewhere, or only explicitly provided via DSN?
+    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
+    # - Bind mount volumes will replace the ownership with that of the host directory, requiring correction.
+    install --owner ory --group ory --directory /var/lib/sqlite
+HEREDOC
 
-USER ory
+COPY hydra /usr/bin/hydra
 
 ENTRYPOINT ["hydra"]
 CMD ["serve", "all"]
+USER ory
diff --git a/.docker/Dockerfile-build b/.docker/Dockerfile-build
index 18cc454fba9..0c858feaeb3 100644
--- a/.docker/Dockerfile-build
+++ b/.docker/Dockerfile-build
@@ -23,8 +23,6 @@ FROM gcr.io/distroless/static-debian12:nonroot AS runner
 COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/hydra /usr/bin/hydra
 
-VOLUME /var/lib/sqlite
-
 # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 
diff --git a/.docker/Dockerfile-hsm b/.docker/Dockerfile-hsm
index c4199fe87e4..8c51e3fcdac 100644
--- a/.docker/Dockerfile-hsm
+++ b/.docker/Dockerfile-hsm
@@ -53,30 +53,36 @@ ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
 ENV HSM_TOKEN_LABEL=hydra
 ENV HSM_PIN=1234
 
+# NOTE: This is broken already. Even though this image provides a shell, you'd need to configure it with
+# `SHELL ["/busybox/sh", "-c"]`, however `apt-get` does not exist either in a distroless image.
+# This was original an Alpine image, the refactoring was not verified properly in this commit:
+# https://github.com/ory/hydra/commit/c1e1a569621d88365dceee7372ca49ecd119f939#diff-ae54bef08e3587b28ad8e93eb253a9a5cd9ea6f4251977e35b88dc6b42329e25L31
 RUN apt-get -y install softhsm opensc &&\
     pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory; \
+RUN <<HEREDOC
+    # Add a user/group for Ory with a stable UID + GID:
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+        --gecos "Ory User" \
+        --home /home/ory \
+        --ingroup ory \
+        --shell /sbin/nologin \
+        ory
+
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    install --owner ory --group ory --directory /var/lib/sqlite
+
+    # NOTE: Presumably this was already created by the prior RUN directive
     chown -R ory:ory /var/lib/softhsm/tokens
+HEREDOC
 
 COPY --from=build-hydra /usr/bin/hydra /usr/bin/hydra
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite && \
-    chown ory:ory /var/lib/sqlite
-
-VOLUME /var/lib/sqlite
-
-# Exposing the ory home directory
-VOLUME /home/ory
-
 # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 
-USER ory
-
 ENTRYPOINT ["hydra"]
 CMD ["serve"]
+USER ory
diff --git a/.docker/Dockerfile-scratch b/.docker/Dockerfile-scratch
index f262b7c6338..2ada6f06eb6 100644
--- a/.docker/Dockerfile-scratch
+++ b/.docker/Dockerfile-scratch
@@ -1,28 +1,41 @@
-FROM alpine:3.20
+# TODO: Remove this file in favor of distroless-static variant:
+# https://github.com/ory/hydra/blob/master/.docker/Dockerfile-distroless-static
+# However if published to any registry, continue to publish the variant tag but as an alias to `-distroless` tags:
+# https://github.com/ory/hydra/pull/3914#pullrequestreview-2527315326
 
-RUN apk upgrade --no-cache && \
-    apk add --no-cache --upgrade ca-certificates
-
-# set up nsswitch.conf for Go's "netgo" implementation
-# - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275
-RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf
+FROM alpine:3.20 AS base-files
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin;
+RUN <<HEREDOC
+    apk upgrade --no-cache
+    apk add --no-cache --upgrade ca-certificates
 
-RUN mkdir -p /var/lib/sqlite && \
-    chown -R ory:ory /var/lib/sqlite
+    # Add a user/group for Ory with a stable UID + GID:
+    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+      --gecos "Ory User" \
+      --home /home/ory \
+      --ingroup ory \
+      --shell /sbin/nologin \
+      ory
+
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    # - Path may be a default value somewhere, or only explicitly provided via DSN?
+    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
+    install --owner ory --group ory --directory /var/lib/sqlite
+HEREDOC
 
 FROM scratch
-
-COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=0 /etc/nsswitch.conf /etc/nsswitch.conf
-COPY --from=0 /etc/passwd /etc/passwd
-COPY --from=0 /var/lib/sqlite /var/lib/sqlite
+COPY --from=base-files /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=base-files /etc/nsswitch.conf /etc/nsswitch.conf
+# NOTE: /etc/group and /etc/shadow were not copied over, only user lookup is valid for `USER`:
+COPY --from=base-files /etc/passwd /etc/passwd
+# NOTE: This COPY defaults to 0:0 for ownership, voiding the requirement conveyed above
+COPY --from=base-files /var/lib/sqlite /var/lib/sqlite
 
 COPY hydra /usr/bin/hydra
 
-USER ory
-
 ENTRYPOINT ["hydra"]
 CMD ["serve", "all"]
+USER ory
diff --git a/.docker/Dockerfile-sqlite b/.docker/Dockerfile-sqlite
index a6813a197e5..d537b202a9e 100644
--- a/.docker/Dockerfile-sqlite
+++ b/.docker/Dockerfile-sqlite
@@ -1,36 +1,36 @@
-FROM alpine:3.20
-
-# Because this image is built for SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
-# and declare /home/ory/sqlite a volume.
-#
-# To get SQLite and Docker Volumes working with this image, mount the volume where SQLite should be written to at:
-#
-#   /home/ory/sqlite/some-file.
+# TODO: Remove this file in favor of the main/default Alpine image. The sqlite package is no longer required:
+# https://github.com/ory/hydra/blob/master/.docker/Dockerfile-alpine
+# However if published to any registry, continue to publish the variant tag but as an alias to standard Alpine image tags:
+# https://github.com/ory/hydra/pull/3914#pullrequestreview-2527315326
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory && \
-    apk upgrade --no-cache && \
+FROM alpine:3.20
+RUN <<HEREDOC
+    # NOTE: The sqlite package is not required when the later copied hydra binary is built with statically linked sqlite?
+    apk upgrade --no-cache
     apk add --no-cache --upgrade --latest ca-certificates sqlite
 
-WORKDIR /home/ory
+    # Add a user/group for Ory with a stable UID + GID:
+    # NOTE: This only appears relevant for supporting hydra as non-root, otherwise unnecessary.
+    addgroup --system --gid 500 ory
+    adduser --system --uid 500 \
+      --gecos "Ory User" \
+      --home /home/ory \
+      --ingroup ory \
+      --shell /sbin/nologin \
+      ory
+
+    # Create the sqlite directory with ownership to that user and group:
+    # NOTE: This is required for read/write by SQLite.
+    # - Path may be a default value somewhere, or only explicitly provided via DSN?
+    # - Owner/Group is only relevant to permissions allowing the hydra process to read/write to the location.
+    install --owner ory --group ory --directory /var/lib/sqlite
+HEREDOC
 
 COPY hydra /usr/bin/hydra
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite && \
-    chown ory:ory /var/lib/sqlite
-
-VOLUME /var/lib/sqlite
-
-# Exposing the ory home directory
-VOLUME /home/ory
-
 # Declare the standard ports used by Hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 
-USER ory
-
 ENTRYPOINT ["hydra"]
 CMD ["serve"]
+USER ory