[SOLVED] Arch Linux: Containers only run when security.privileged=true?

So I finally had a chance to revisit this. Here are my subuid/subgid files:

[pgoetz@erap-atx ~]$ cat /etc/subuid 
"root:1000000:65536"
[pgoetz@erap-atx ~]$ cat /etc/subgid 
"root:1000000:65536"

Here’s what happens when I try and launch a new container:

[pgoetz@erap-atx ~]$ lxc launch images:ubuntu/16.04 u16
Creating u16
Starting u16                                
Error: Failed to run: /usr/bin/lxd forkstart u16 /var/lib/lxd/containers /var/log/lxd/u16/lxc.conf: 
Try `lxc info --show-log local:u16` for more info

[pgoetz@erap-atx ~]$ lxc info --show-log local:u16
Name: u16
Location: none
Remote: unix://
Architecture: x86_64
Created: 2019/02/21 15:54 UTC
Status: Stopped
Type: persistent
Profiles: default

Log:

lxc u16 20190221155412.927 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "newuidmap: uid range [0-1000000000) -> [1000000-1001000000) not allowed": newuidmap 10489 0 1000000 1000000000
lxc u16 20190221155412.927 ERROR    start - start.c:lxc_spawn:1727 - Failed to set up id mapping. 
lxc u16 20190221155412.179 WARN     network - network.c:lxc_delete_network_priv:2613 - Invalid argument - Failed to remove interface "vethPX1QE0" from "lxdbr0"
lxc u16 20190221155412.179 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:864 - Received container state "ABORTING" instead of "RUNNING"
lxc u16 20190221155412.179 ERROR    start - start.c:__lxc_start:1972 - Failed to spawn container "u16"
lxc u16 20190221155412.186 ERROR    conf - conf.c:lxc_map_ids:3052 - newuidmap failed to write mapping "newuidmap: uid range [0-1000000000) -> [1000000-1001000000) not allowed": newuidmap 10501 0 1000000 1000000000 1000000000 0 1
lxc u16 20190221155412.186 ERROR    conf - conf.c:userns_exec_1:4422 - Error setting up {g,u}id mappings for child process "10501"
lxc u16 20190221155412.186 WARN     cgfsng - cgroups/cgfsng.c:cgfsng_payload_destroy:1122 - Failed to destroy cgroups
lxc 20190221155412.188 WARN     commands - commands.c:lxc_cmd_rsp_recv:132 - Connection reset by peer - Failed to receive response for command "get_state"

Is the syntax in my /etc/subuid and /etc/subgid incorrect? I just lifted this from the Arch AUR package post installation instructions.