Since you’re running LXD the daemon will run as root which means the process that sets up the container will run as root before the container changes to a new user namespace and becomes completely isolated. The idmaps will be written directly in this case even if the binaries are not setuid. This looks just like the logic in lxc-checkconfig is faulty but that should be fixed in newer LXC versions.
Thank you very much for the insight @brauner - I’m all good then and very excited to hit it on some (test) production containers.
Hopefully there are enough keywords in this post for people to find this with a web (or in-site discussion) search so that they do not pause on this step.