What security risks arise from granting unprivileged users the ability to perform overlay mounts?

I'm writing a program to allow unprivileged users to mount overlay filesystems using a setuid binary. I've implemented a few safeguards to improve the program's security, but I'd like a more definitive checklist of potential security risks such a program might expose. Here are the safeguards I've implemented so far: - The program dissociates its mount namespace before performing any mounts, ensuring that other processes remain unaffected by the new mount. The program then runs a user-provided command inside that namespace. - It verifies that every lowerdir is readable by the user. For sub-items within each lowerdir, I assume that POSIX ACLs will prevent unauthorized access. - It ensures that the upperdir is both readable and writable by the user. Again, I rely on ACLs to enforce access restrictions on sub-items. - It verifies that the workdir is writable. Since the workdir must be empty for OverlayFS to function, I consider the risk there to be minimal. - It ensures that the mountpoint is writable by the user. - The program resets the effective UID and GID to the real user’s IDs immediately after completing the mount operations. These measures cover all the attacks I could foresee, but I suspect there may be additional risks I haven't accounted for. I would appreciate it if someone could point out any security issues before this goes into production.