Kernel support is there waiting to compiled for user namespace isolated containers. It would just require an official way to launch them as a normal user.