If I have user namespaces enabled on a Linux box, the nix daemon can run as a "nobody" user with sandboxing enabled and this "just works" without issue.

However, if I then try to use cntr with an interactive breakpoint, I see this:

To attach install cntr and run the following command as root:

   cntr attach -t command cntr-/nix/store/q1l80p0z1v7gc2q7zri8xlkx5s2ap86k-debug

and indeed, it fails if not run as root, as advertised.

$ cntr attach -t command cntr-/nix/store/q1l80p0z1v7gc2q7zri8xlkx5s2ap86k-debug
    failed to get status of target process: Could not find namespace pid in /proc/221016/status

Is this a fundamental limitation or is there a way that I can find the nobody daemon's namespace pid (either as another user, or as the nobody daemon itself)?

Yes. It only runs as root. The FUSE implementation requires some privileged access
to function correctly in the POSIX sense. There is no plan to change that.

Makes sense, I assumed as much but figured I'd double check just in case; thanks for the clarification!