Users in user namespaces are granted capabilities that root has, user namespaces themselves need to be locked down to prevent that, but if a user with root capabilities escapes the namespace, they have the capabilities on the host.

They also expose kernel interfaces that, if exploited, can lead to the same.

In the end, namespaces are just for partitioning resources, using them for sandboxes can work, but they aren't really sandboxes.