A setuid bwrap binary is more secure than allowing unprivileged user namespaces and still good enough for sandboxing purposes.
Closes #15725