They all look expected I think, the cgroup stuff is harmless, the devices cgroup is effectively non-functional for unprivileged containers, we could teach systemd to not even bother trying to set it up, but that’s harder than the current behavior which is to just ignore EPERM.
Looks like some unit attempted to add entropy to the kernel pool which was rejected (RNDADDENTROPY), that’s indeed not something a container should be allowed to do, if that caused anything useful to fail startup, then a bug report should be filed against it to handle unprivileged containers.
ntp_adjtime() is in the same camp, containers aren’t allowed to modify the system time as the clock is kernel-wide.
And lastly, the same applies to pam_limits where a container is allowed to reduce its ulimit/prlimit values (like nofile) but not raise it as that’d be a potential way of causing denial of service attacks against the host.