Never mind. I forgot to restart the LXD daemon after creating these files. It’s working now as advertised, so marking this ticket as solved. For the benefit of someone scanning this ticket:
OS: Arch linux
LXD version 3.10
[pgoetz@erap-atx ~]$ cat /etc/subuid
root:1000000:65536
[pgoetz@erap-atx ~]$ cat /etc/subgid
root:1000000:65536
The Arch Linux Containers Wiki page suggests that to run unprivileged containers you also need to add these lines to /etc/default/lxc:
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
I did not need to do this, nor did I add the PAM cgroups module, pam_cgfs.so, to /etc/pam.d/system-login