Brave snap doesn't work without `--no-sandbox` on systems with CONFIG_USER_NS_UNPRIVILEGED disabled

% zgrep CONFIG_USER_NS /proc/config.gz
CONFIG_USER_NS=y
# CONFIG_USER_NS_UNPRIVILEGED is not set
% snap run brave
[2205850:2205850:1014/153436.343633:FATAL:zygote_host_impl_linux.cc(117)] No usable sandbox! You probably need to enable user namespaces in your kernel. See https://brave.com/linux for more info.
[1014/153436.343935:ERROR:process_memory_linux.cc(42)] open: Permission denied (13)
/snap/brave/133/opt/brave.com/brave/brave-browser: line 48: 2205850 Trace/breakpoint trap   (core dumped) "$HERE/brave" "$@"
%

This affects users of the linux-hardened kernel on Arch Linux, among others. From https://wiki.archlinux.org/title/Security#Sandboxing_applications:

Warning: Unprivileged user namespace usage (CONFIG_USER_NS_UNPRIVILEGED) is enabled by default in linux (5.1.8 or later), linux-lts (4.19.55-2 or later) and linux-zen (5.1.14.zen1-2 or later) unless the kernel.unprivileged_userns_clone sysctl is set to 0. Since this greatly increases the attack surface for local privilege escalation, it is advised to disable this manually, or use the linux-hardened kernel. For more information see FS#36969.

This does not affect the non-snap version of the browser:

Related: https://github.com/brave/brave-browser/issues/18723 Slack thread: https://bravesoftware.slack.com/archives/CG7GV6M7Z/p1634147626023000?thread_ts=1634046675.021500&cid=CG7GV6M7Z