Also worth noting that one of the first thing any sandbox based on user namespaces will do is *disabling* user namespaces. The programs using them acknowledge them to be a huge security problem. It doesn't work out well when only a subset of processes are running in that container env.
The only sane way to approach this without taking a different path is implementing plumbing to only expose user namespaces to the sandbox spawning executables. Kernel infrastructure exists for doing that already. It just depends on whether anyone is willing to do any real work vs. complaining about it and denying the facts.