Can I run Docker-in-Docker without using the --privileged flag

Yes, you can run docker in docker without the --privileged flag. It involves mounting the docker socket to the container like so:

   docker run -it -v /var/run/docker.sock:/var/run/docker.sock \
               -v $(which docker):/bin/docker \
               alpine docker ps -a

That is going mount the docker socket and executable into the container and run docker ps -a within the alpine container. Jérôme Petazzoni, who authored the the dind example and did a lot of the work on the --privileged flag had this to say about docker in docker:

https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/

I have been using this approach for a while now and it works pretty good.

The caveat with this approach is things get funky with storage. You're better off using data volume containers or named data volumes rather than mounting directories. Since you're using the docker socket from the host, any directories you want to mount with in a child container need to be from the context of the host, not the parent container. It gets weird. I have had better luck with data volume containers.

Unfortunately no, you must use the --privileged flag to run Docker in Docker, you can take a look at the official announcement where they state this is one of the many purposes of the --privileged flag.

Basically, you need more access to the host system devices to run docker than you get when running without --privileged.