Can I use systemd resource management to deny port only outside containers

On an up-to-date fedora 39, I have set up podman for rootless containers and I limit the ports a user may bind to by creating /etc/systemd/system/user-1000.slice.d/user-resources.conf with

[Slice]
SocketBindAllow   = 12345
SocketBindDeny    = any

Now as expected, the user cannot bind to port 20202 for example:

$ nc -4 -lp 20202
Ncat: bind to 0.0.0.0:20202: Operation not permitted. QUITTING.

However what bothers me is that it's not even possible to bind to a denied port *within* a container without exposing the port:

$ podman run docker.io/library/alpine nc -lp 20202
nc: bind: Operation not permitted

Is this a bug? Is there anything I can do about it?