The kernel on your distribution is configured in a way that prevents this from working properly. Maybe you want to discuss this issue with your Linux distribution.
So a solution is to run
sysctl kernel.unprivileged_userns_clone=1
then you won’t need the --no-sandbox.