Rootless containers are wonderful right up until a volume mount and then they are baffling. You bind-mount a directory, the container writes to it, and on the host the files belong to some user in the hundred-thousands that does not exist. The instinct is to chown it back, which fixes nothing and breaks the container instead.
The piece I was missing is that rootless Podman maps your single host user to a whole range of UIDs inside the container, taken from /etc/subuid. Root in the container is you on the host; UID 1 in the container is the first entry in your subuid range, and so on. So a file owned by 100998:100998 on the host is some service user inside. Once that clicked, the ownership stopped looking like corruption and started looking like arithmetic.
For the common case, the fix is --userns=keep-id, which lines your host UID up with the same UID inside the container, so mounted files just belong to you on both sides. When a service genuinely needs to run as a non-root user inside, podman unshare chown does the ownership change in the mapped namespace rather than fighting it from outside.
The other quiet win is that a runaway process in a rootless container is a runaway process owned by me, with my limits, not by root. That alone was worth the afternoon of confusion.