(no title)

- We enable `security.nesting=true` on unprivileged LXC containers, so Docker can run inside (rootless).

- *User namespace isolation* ensures that even if a user is “root” inside the container, they are mapped to an unprivileged UID on the host (e.g., UID 100000), preventing access to host files or devices.

This setup allows developers to run Docker and do almost anything inside their sandbox, while keeping the host safe.