Draft: Disable unprivileged userns and make bwrap setuid root

A setuid bwrap binary is more secure than allowing unprivileged user namespaces and still good enough for sandboxing purposes.

Closes #15725