re-add flag --no-sandbox to restore docker runtime support (`podman run` succeeds without flag)
reverts commit d12a966462823840690a9217816ad3cf47e349ba
```
The setuid sandbox is not running as root. Common causes:
* An unprivileged process using ptrace on it, like a debugger.
* A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
/usr/bin/brave-browser: line 48: 12 Trace/breakpoint trap "$HERE/brave" "$@"
```