Looking at --privileged I see that it disables SELinux process labels.
I’m not disabling SELinux on my Discourse server, and in fact have instructions in my guide how to adapt to keeping SELinux enabled while using external nginx. You can also check your avc logs for relevant denials and write local policy using audit2allow. But that can be a long iterative process. I would start from scratch (wiping out /var/discourse) to make sure it’s a valid test and see whether you still need --permissive with SELinux disabled (e.g. setenforce 0). Then if that works, you can use audit2allow because setenforce 0 still writes avc entries, but is no longer stopped at the first gate, so you will get to a working policy faster.
I don’t think I’d keep using --privileged on a production system if I could help it.