According to https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md#running-puppeteer-in-docker, you need to run docker with --cap-add=SYS_ADMIN to run Puppeteer in a container.
As per http://man7.org/linux/man-pages/man7/capabilities.7.html and https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md#recommended-enable-user-namespace-cloning, this is needed to use unshare inside the container that Chrome needs for its sandboxing feature.
I don’t know which exact change triggered the fail – but, as you can see, it’s actually an error that this was working before! https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md refers to a ticket that all but disabled the use of suid sandbox in Chrome in favor of the namespace one but it’s from 2016.