What is it?
That is a kernel feature that allows unprivileged users to create namespaces that can run isolated processes with elevated privileges on those contained/sandboxed namespaces like e.g. utilizing unshare:
$ whoami
ubuntu
$
$ unshare --map-root-user
#
# whoami
root
#
where, as an example, your current effective user and group IDs get mapped to the superuser UID and GID in the newly created user namespace which makes it possible to conveniently gain capabilities needed to manage various aspects of the newly created namespaces (such as configuring interfaces in the network namespace or mounting filesystems in the mount namespace) even when run unprivileged.
Oftentimes, you don't need to set such user namespace yourself, but rather your application requiring that feature should do that automatically as needed.
How to use it?
It should be enabled by default on recent releases of Ubuntu ... Check it with:
sysctl kernel.unprivileged_userns_clone
and if it prints:
kernel.unprivileged_userns_clone = 1
as it should, then you are good to go and your application set to make use of that feature will just run fine ... And you can see this happening by listing the namespaces created/used after running the script ./chrome-wrapper from the extracted portable ungoogled-chromium archive you linked to in your question with e.g.:
lsns -o ns,pid,type,command | grep 'ungoogled-chromium'
If, however, it outputs:
kernel.unprivileged_userns_clone = 0
which means it's disabled ... Then, you can enable it until next reboot with:
sudo sysctl -w kernel.unprivileged_userns_clone=1
and you can make that change permanent by adding this line:
kernel.unprivileged_userns_clone=1
to the file /etc/sysctl.conf
