User namespaces remap the container's UIDs (including root) to unprivileged host UIDs, enabling rootless mode. cgroups limit resources, seccomp filters syscalls, and capabilities split root's powers — useful, but none provides the UID remapping rootless relies on.
Official docs