There's something seriously wrong somewhere in this chain:
Chrome wants to sandbox its renderer processes so they can't wrote to the file system. To do this, it uses a tool, chrome_sandbox, that requires elevated privileges. (Used to be setuid root, now uses namespaces.)
Chrome thinks unprivileged user namespaces are a good way to sandbox their processes.
Debian thinks they're a serious security risk and disables them by default.
Docker relies on them, but doesn't allow them to be used recursively.