Why does `/etc/alternatives` being a symlink affect `apt`?

I've got the following Dockerfile:

FROM ubuntu:22.04

# Step 1
RUN apt update && apt install -y wget

# Step 2
# All your persistent configs are in /root.
RUN mkdir -p /root/.symlinks/etc \
    && mv /etc/alternatives /root/.symlinks/etc/alternatives \
    && ln -sf /root/.symlinks/etc/alternatives /etc/alternatives

# Step 3
RUN wget -O /usr/share/keyrings/xpra.asc https://xpra.org/gpg.asc \
    && wget -P /etc/apt/sources.list.d https://raw.githubusercontent.com/Xpra-org/xpra/master/packaging/repos/jammy/xpra.sources

# Step 4
RUN apt update

In step 2, I change /etc/alternatives into a symlink to another directory, in step 3 I install a program called xpra, and then in step 4 I run apt update. The final step 4 fails with the following error:

RUN apt update
Get:6 https://xpra.org jammy InRelease [4096 B]
Err:6 https://xpra.org jammy InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 18ADB31CF18AD6BB
Reading package lists...
W: GPG error: https://xpra.org jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 18ADB31CF18AD6BB
E: The repository 'https://xpra.org jammy InRelease' is not signed.

But if I were to omit step 2, which is changing /etc/alternatives into a symlink, then step 4 would work correctly.

Why would /etc/alternatives being a symlink affect apt?

The problem seems to occur because /root doesn't have the x bit set for other users. It is drwx------. So during apt update, it must be the case that a non-root user tries to execute a file from /etc/alternatives, which is actually /root/.symlinks/etc/alternatives, and it can't enter /root because /root doesn't have the x bit set for non-root users.

If I add the line chmod +x /root in between steps 1 and 2, then there are no more errors in step 4. But /root should remain drwx------ for security reasons, so I wouldn't recommend this as a workaround.