I think I may have complicated things by using linuxserver.io images which already require some id mapping trickery on the rootless podman side as they expect to run as root...