I have wanted my containers to stop running as root for a long time, and Podman finally makes that pleasant rather than heroic. Running a container as your own user, no daemon, no socket owned by root, is exactly the security posture I want for the bits and bobs running on my home box.
The first attempt failed in a way that looked like a permissions bug and was actually a missing mapping. Rootless containers lean on user namespaces, which means your single host user needs a range of subordinate UIDs and GIDs to hand out to processes inside the container. Without those, anything beyond the simplest image falls over with confusing ownership errors.
The fix is two lines in /etc/subuid and /etc/subgid:
johnm:100000:65536
That gives my user 65536 subordinate IDs starting at 100000. After a podman system migrate to pick up the new ranges, the images that had been throwing chown errors just worked. UID 0 inside the container maps to my unprivileged user outside it, which is the whole point: a process that thinks it is root has none of root's powers on the host.
The mental model is the hard part, not the commands. Once "root in the container is nobody special outside it" clicks, the rest is ordinary. My homelab services now run as me, no daemon in sight, and a compromised container gets you precisely a normal user account. That will do nicely.