Even without --privileged, Docker containers will run in what LXD calls privileged mode, that is, root in the container will be real root, rather than an unprivileged user mapped to uid/gid 0 in the container.
As you saw above, LXD itself doesn’t drop that capability for you, it’s the kernel which ultimately decides not to allow it against your container’s user namespace.