Nspawn security vulnerability

When I try to connect to the pulse server’s unix socket in /run/user/1000/pulse/native from a regular user (other than the one running the pulse server) I get permission denied. There’s just no way for me to circumvent this without compromising /run/user/1000 folder.

When I bind a folder via nspawn (launch nspawn with --bind=/run/user/1000/pulse/native:/tmp/pulse/native), I get full access to the socket (and thus parent folder?).

Which begs the question, does nspawn NOT protect the privileged /run/user/1000 folder?