Podman can run under your user and use your UID (e.g., 1000) as UID 0 for the root user in the container. Any other user in the container gets mapped to a temporary unprivileged UID on your system (the range to pick from is specified in /etc/subuid).

How are you meant to pull package from docker hub with nspawn?

I don’t. I’m using Nix containers.

...that nspawn is already available on 90% of Linux systems.