You don't seem to have any choice in the user (root) running the CMD inside a container launched from an image built "FROM scratch
".
But by definition of a container, that user can only influence its own (disk, memory, resources) space, not the host. So it should not matter.
The only other alternative would be to define a container from scratch only for declaring a volume container, that you would use in a full-fledged image able to run with a non-root user.
See "Running as a non-root inside a container"
$ echo 'FROM scratch
ADD data.tar /
VOLUME ["/data"]' > Dockerfile
$ docker build -t minimal .
$ docker create --name minimal minimal :
The container that mounts this minimal volume container needs to create the user with id 1000:
$ docker run --rm --volumes-from minimal -it debian:jessie /bin/bash -c 'useradd postgres && ls -l /data'
That is not what you need (since the Go program does not need any dynamic libraries, and can run solely on system calls). But that illustrates how a non-root user can use a "FROM scratch
" container (here as a volume)