I had been reviewing the docs and I found a couple errors in the sample files as they relate to my implementation of a single container using debian buster (possibly stretch and others).
Firstly, my single container should be privileged, but when evaluated by entry.sh https://github.com/balena-io-library/base-images/blob/master/examples/INITSYSTEM/systemd/systemd.v230/entry.sh it does not correctly detect the PRIVILEGED status. I was able to hardcode this as a workaround.
Second, the docs often reflect UDEV=1 to enable UDEV which seems outdated as the correct variable setting is either “on/off” https://www.balena.io/docs/reference/base-images/base-images/#major-change - search UDEV=1
This was fairly confusing but through trial and error unplugging my USB device I concluded that I needed to perform both of these steps (hardcode PRIVILEGED variable and set UDEV on) in order to get the container to see hotplug events (do the correct functions within entry.sh).
Dockerfile.template: ENV container docker ENV INITSYSTEM on ENV UDEV on entry.sh: #if hostname "$HOSTNAME" &> /dev/null; then PRIVILEGED=true #else # PRIVILEGED=false #fi