virt-podman: Document that full systemd functionality needs CAP_SYS_ADMIN
See #1078205 for more details.
I don't know the precise security implications of CAP_SYS_ADMIN (is it a container escape, or is Podman designed to prevent all of its external effects via e.g. seccomp?), so this should be fact-checked by someone who understands this better, either here or via mail to the bug.
When we understand its implications better, we could consider adding a shortcut command-line option for this (--trust-root-in-testbed?), but let's document current functionality first.