--unshare-user not enough to be able to run useradd

[Esben2]

I try to mount a Fedora rootfs which employes standeard /etc/shadow system.

bwrap --bind / --unshare-user --uid 0 --gid 0 adduser foo adduser: cannot open /etc/gshadow

whereas if I type

unshare -r bwrap --bind / --unshare-user --uid 0 --gid 0 adduser foo

I have no problems.

Why do I need the apparent hack of unshare the user namespace before bwrap to get the same permissions on /etc/gshadow ?