[nixcraft]

LXD uses unprivileged containers (user namespace) with the setup done by the root user. All containers run in unprivileged mode by default. However, specific config that only a privileged user can do (mount disks/partitions, setup network devices, allocate more complex mappings for the user namespace etc.) on LXD using the root user or LXD group. Even rootless Podman needs root access in many cases. For example, to open port < 1024, mount EFS/NFS inside; in other edge cases, you can't use rootless Podman. These are Linux kernel limitations last I checked and are sometimes caused by various distros applying other security patches to their kernels too.

LXD supports (all of these have pros and cons, and you must choose one of the type that solves your problem):

1. Privileged containers.

2. Unprivileged containers as an unprivileged user.

3. Unprivileged containers as root.

One frustrating issue is that many developers and IT professionals are reluctant to use Podman due to certain unique situations and edge cases. Docker is more commonly used and tested, making it the preferred option despite Podman's beneficial features.