system/bubblewrap: add non-setuid variant

bwrap(1) works out-of-box with no additional additional privileges if using the --unshare-user argument on supported kernels such as easy-kernel, and in fact it is desirable that it runs without setuid privileges in such cases since it allows for the use of newuidmap(1) and newgidmap(1) to set custom ID mappings inside the container. Otherwise, when --unshare-user is used with a setuid bwrap(1), the permissions on the /proc entry for the process will be privileged and newuidmap(1)/newgidmap(1) will fail.