There's something seriously wrong somewhere in this chain:
Chrome wants to sandbox its renderer processes so they can't wrote to the file system. To do this, it uses a tool, chrome_sandbox, that requires elevated privileges. (Used to be setuid root, now uses namespaces.)
Which means that I can't run Chrome inside a container, because it needs to be able to make new namespaces, and that's a privileged operation.
And I'm not the sysadmin. I only have (pseudo-)root inside the container.