The key is user namespaces. Unprivileged users can create containers easily via user namespaces. Once the user creates a user namespace, they have root in that namespace and are free to unshare the rest of the namespaces. This is how I wrote 'guix environment --container'[0], a tool for creating isolated development environments using the GNU Guix package manager. The big caveat is that unprivileged users do not setuid/setgid capability, so the number of uids/gids in the container is limited to 1, but I believe that even this is being dealt with in Linux now.
[0] https://gnu.org/software/guix/manual/html_node/Invoking-guix...