ah maybe there's a fully rootless option recently too

https://github.com/systemd/systemd/issues/30239 https://github.com/systemd/systemd/pull/26826/files

    systemd-nspawn may be invoked with or without privileges. The full functionality is currently only available when invoked with privileges. When invoked without privileges, various limitations apply, including, but not limited to