The problem is that a browser does really want access to a whole lot of stuff as it's almost an OS.

But no, Chromium doesn't run as root afaik, the rootkit stuff is complete bullshit.

The sandbox binary uses setuid root if user namespaces aren't available, but that's a necessity for making the empty chroot and process/network namespaces used to sandbox tabs. The layer-2 sandboxing code (seccomp-bpf) doesn't require anything like that, but they're meant to be complementary (although both are strict enough that they could act as a meaningful sandbox alone).

That's really interesting, thanks.