Just read the “ungoogled Chromium” documentation and it mentioned to enable this kernel argument to enable the Namespace Sandbox.
I dont care about that Browser at all, but its Sandbox sounds nice. I would 100% invest more time into securing Firefox (in fact I do a bit) but I can imagine enabling this by default would improve usability.
Would there be any drawbacks from enabling this karg?
As far as I know that is Debian specific, quoting Controlling access to user namespaces [LWN.net]
… on Debian systems, the knob is called
unprivileged_userns_clone…
Don’t know about drawbacks but the quoted article seems like a good read.
interesting, this thread is pretty old.
On secureblue, a hardened Fork of Fedora Atomic based on Ublue Startingpoint, user namespaces are disabled and Chromium as well as Brave work. But unsure if the Sandbox needs user namespaces