I appreciate the detailed explanation of ID/GID mapping.

> it is often much safer to use mount NFS internally

This is the config I'm trying to move away from! I don't see how an unprivileged LXC with a bind mount is worse than a privileged container with NFS, FUSE, and nesting enabled (I need all of that if I can't aggregate on the host).

NFS and CIFS within the container requires kernel-level access and therefore the LXC must be privileged. I'd rather have a single defined path.

I tried to get around this using FUSE but it creates its own issues with snapshots/backups (fsfreeze).

If my solutiom works for a regular LXC it will probably work for Podman.