I don’t know enough about Linux namespaces. Couldn’t this just be handled with chroot?
I don’t know what you mean by “couldn’t this just be handled with chroot” (what solution are you suggesting exactly?), but mount namespaces are not the same as chroot! here are a couple of articles that might be helpful: http://man7.org/linux/man-pages/man7/mount_namespaces.7.html, https://lwn.net/Articles/689856/
You can’t access the cgroup namespaces from the host system? That’s crazy. This is such a crucial feature of jails and zones.