Why is user.max_user_namespaces enabled in Ubuntu by default?

Ubuntu has kept it enabled for a lot longer than Debian, but see Debian's reasoning for enabling it in bullseye which I think is probably the same as Ubuntu's:

From Linux 5.10, all users are allowed to create user namespaces by default. This will allow programs such as web browsers and container managers to create more restricted sandboxes for untrusted or less-trusted code, without the need to run as root or to use a setuid-root helper.

The previous Debian default was to restrict this feature to processes running as root, because it exposed more security issues in the kernel. However, as the implementation of this feature has matured, we are now confident that the risk of enabling it is outweighed by the security benefits it provides.

So they think the security benefits offered by this are good enough to not consider throwing out the whole thing.

And Ubuntu are aware of the security problems and are working on a mitigation using AppArmor:

Disabling unprivileged user namespaces might stop an exploit but can also break applications that legitimately use and rely on access to them.

With introduction of restricted unprivileged user namespaces AppArmor can be used to selectively allow and disallow unprivileged user namespaces for individual applications. AppArmor policy is used to selectively control access to unprivileged user namespaces on a per applications basis, and then deny access to all other applications.

(This post also mentions elsewhere how user namespaces have reduced the need for setuid.)

According to the blog post announcing this, it's disabled by default at the initial release of 23.10, and planned to be enabled later by a package update as they get more data. Older releases won't be affected.