Today we require e.g. `--cap-add=all --security-opt=label=type:container_runtime_t --device /dev/fuse`. We can definitely drop `/dev/fuse`; that's just a legacy of some rpm-ostree stuff. What we really need in the end is basically user namespacing being enabled for the inner container, which it may or may not be in the podman case by default (rootless it always is) - this is where it gets quite confusing for podman because `--cap-add=all` means something really different between rootful and rootless there. Anyways I think we probably want something like `--userns=required` or so for `podman build`, on rootless it'd be a no-op. Or maybe we want `--cap-add=userns:all` to enforce that we're only keeping caps in a new userns.