But certain namespaces cannot be created without CAP_SYS_ADMIN. Sure, you can drop privileges later, but a privilege escalation exploit in the container gives the attacker root access outside of that container, too. Sure, user namespaces have had issues, but they seem a hell of a lot safer than no isolation at all. Furthermore, user namespaces allow unprivileged users to create containers, too, which is particularly exciting.