User id mapping not working as expected in a privileged container

I think I know the answer here, but am looking for confirmation. I’ve read through this document many, many times. I knew that for privileged containers container root = system root, but I somehow didn’t get the memo that other uid’s seem to be shared as well:

[pgoetz@gecko ~]$ id pgoetz
uid=1001(pgoetz) gid=1001(pgoetz) groups=1001(pgoetz),998(wheel),27(sudo),969(libvirt),967(lxd)
[pgoetz@gecko ~]$ lxc exec samba-dc -- su -l pgoetz
pgoetz@samba-dc:~$ vi foobar

(type some junk and save the file)

pgoetz@samba-dc:~$ ls -l
total 4
-rw-rw-r-- 1 pgoetz pgoetz 8 Oct 28 13:18 foobar
pgoetz@samba-dc:~$ id pgoetz
uid=1001(pgoetz) gid=1001(pgoetz) groups=1001(pgoetz)

Meanwhile, back in bare metal land:

[root@gecko pgoetz]# pwd
/var/lib/lxd/storage-pools/default/containers/samba-dc/rootfs/home/pgoetz
[root@gecko pgoetz]# ls -l
total 4
-rw-rw-r-- 1 pgoetz pgoetz 8 Oct 28 08:18 foobar

Because of

[root@gecko pgoetz]# cat /etc/subuid
root:100000:65536
lxd:100000:65536

I was expecting this file to be owned by user 101001, but it looks like in privileged containers the user namespace is just the system namespace. Not sure I’ve seen that documented anywhere, but of course useful to know.

Wouldn’t this cause problems if, for example, you’re running mysql on your bare metal system and also inside the container?