Found an interesting kernel patch and discussion: https://patchwork.kernel.org/patch/10039431/
It’s unlikely this patch has been integrated into a PureOS kernel.
If user-created user namespaces are so insecure, why does Brave require them by default?
There is another post about enabling namespaces for Brave, but there is no commentary on the security implications: Brave Browser in PureOS, won't launch