Where the author talks about containers you can mentally substitute cgroups since Linux containers are cgroups + namespaces.

That's how I look at it too, but lots of people don't look at it that way, hence all the handwaving about "too heavyweight" and "seems like overkill" etc.

Largely because of Docker and Kubernetes, many think of a container as all of the following:

1. A cgroup + [all or nearly all of the] unshare-able namespaces

2. A writable, disposable overlay on top of an immutable "image", which may be lazily downloaded and extracted

3. A resource managed by a userspace daemon managed by a userspace utility over a socket

4. Optionally, a seccomp-bpf filter or apparmor profile or something

But there's a whole useful spectrum between a vanilla process and a Docker container like that. Lots of points on that spectrum still feel highly container-ized but aren't really much more heavyweight than a vanilla process.

Beyond that, in the point about PID namespaces, the author should mention that there are ultra-light-weight init implementations that are barely a factor in overhead.

Can you create them at all, as an unprivileged process, or does it need something else to set it up for you like systemd?

If you have to rely on systemd then arguably is a systemd solution, not a Unix or Linux one.

They were mentioned in 2.1.1.