I have mounted a few devices to my jellyfin instance to allow hardware acceleration, I created them with the intent to give it group access. However, I realized yesterday that it’s also mounted as root inside the container. I would like to remove user ownership inside the container, so that it cannot access it through the user group. I didn’t see any notes on it in the documentation or forums 
you should have post you configuration, so we can tell you what to change.
I can mount path on host in container as nobody use this: incus config device add <instance_name> <device_name> disk source=<path_on_host> [path=<path_in_instance>]
But the other container with this profile mount as user:
config:
raw.idmap: |-
uid 1000 1000
gid 1000 1000
If you need to add pci device, use this profile, change gid, pci, type to fit your need:
config: {}
description: hardware acceleration
devices:
mygpu:
gid: "44"
gputype: physical
mode: "0770"
pci: "0000:00:02.0"
type: gpu
This is how I enabled hardware acceleration for Jellyfin:
I think I might be failing to explain myself. This would indeed map the group to gid 44 inside the container. But the default is also to map uid to root inside the container, I don’t want any user to own the pci device inside the container. As I only want the container to have the permissions I assign to the gid, even if processes are run as root in the container.
Just add uid: "65534". nobody’s uid should be 65534. But it’s different in distros.
You need to read the doc more throughly.
Cheers man!