Comment by nyrikki

Namespaces _may_ result in limits on what you can do with a capability, but a capability is global in scope.

If a kernel feature is gated on cap_sys_admin only, it doesn't matter at all what namespace it is in. Namespace support or additional constraints are not implicit and have to be added to each need.

People misunderstanding this is partially why we have this latest crop of vulnerabilities.