Stop making /usr/bin/bwrap setuid root
With Debian kernels >= 5.10, this is no longer necessary: unprivileged users can now create user namespaces, the same as in upstream kernels and Ubuntu.
For smooth upgrades, install a sysctl configuration fragment that will configure older kernels to behave similarly if the recommended procps package is installed.
Not uploading this immediately to give the kernel and security teams a chance to veto it, but I want to upload this or something quite similar before bullseye gets much more frozen.