resolving the “Warning: Download is performed unsandboxed as root … couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)” in a debootstrap'd chroot

[Bradley M. Kühn <bkuhn@sfconservancy.org>]

This may be a rather odd-ball corner case (as the setup where I'm doing this
is beyond odd¹).  Nevertheless, I've searched the Interwebs (for the error
message below and obvious varations) and all I can find about this is
LLM-backed-AI-generated answers, Debian bug tickets saying this issue has
been resolved, and one reddit thread².  At the very least, when this lands
in the debian-user archives, at least there will be some more search engine
information about this problem.

Backstory:

I debootstrapped a bookworm¹ chroot, shcroot'd into it, then edited
/etc/apt/sources.list³ to look like this:
        deb http://deb.debian.org/debian trixie main
        deb http://deb.debian.org/debian trixie-updates main
        deb-src http://deb.debian.org/debian trixie main
        deb-src http://deb.debian.org/debian trixie-updates main
I then did, as root, schroot'ed into this chroot:
        # apt -y update; apt -y dist-upgrade
While all seemed to go as planned, I got a *lot* of Warnings about various
directories having the wrong permissions for `_apt` user.  I chased them all
to be owned by `_apt` all the way down, and most went away.

Remaining Problem:

Yet, I'm still getting — on every `apt install <SOMETHING>` and `apt update`
command — the following error:
      Warning: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_trixie_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

But, here's an `ls -ld` of each relevant directory all the way down:
       (trixie)root@holly:~# ls -ld /var/lib
       drwxr-xr-x 12 root root 4096 Nov  3 18:52 /var/lib
       (trixie)root@holly:~# ls -ld /var/lib/apt
       drwxr-xr-x 5 _apt root 4096 Nov  3 19:13 /var/lib/apt
       (trixie)root@holly:~# ls -ld /var/lib/apt/lists 
       drwxr-xr-x 4 _apt root 4096 Nov  3 18:51 /var/lib/apt/lists
       (trixie)root@holly:~# ls -ld  /var/lib/apt/lists/partial/
       drwx------ 2 _apt root 4096 Nov  3 18:51 /var/lib/apt/lists/partial/
… and I note these permission match what I have in other chroot's.  Yet I
still keep getting the above error message.

I don't want to report this as a bug against `apt` without asking here first
because the situation¹ is so weird that it may not be worth fixing this
corner case.

Any suggestions on things to try before I submit a bug report?


¹ Please don't judge: I'm trying to install a trixie chroot on a system that
  is currently running buster.  Yes, I know buster is out of official LTS
  and I should get the system in question upgraded ASAP, but I'm setting a
  temporary solution up today that should only last another 30 days or so,
  FWIW.

² https://www.reddit.com/r/debian/comments/1euzaoy/fix_apt_error_download_is_performed_unsandboxed/

³ I `apt modernize-sources` since the initial bookworm ⇒ trixie upgrade, and
  the warning above still persists, so it seems unlikely it's related to
  that.
-- 
Bradley M. Kühn - he/them - Policy Fellow & Hacker-in-Residence at Software Freedom Conservancy
     I answer email slowly; feel free to book a chat w/ me: https://sfc.ngo/book/bkuhn
           On the Fediverse (via Mastodon) at https://fedi.copyleft.org/@bkuhn