--no-sandbox

Disables the Chromium process sandbox. zshot then renders untrusted page content without that isolation layer, so use it only where the sandbox cannot run.

A container is the common case: the Chromium sandbox depends on kernel facilities a container does not grant by default, and the browser fails to start without this flag. See Docker.

For background on the sandbox and the trade-off you accept by turning it off, see no-sandbox.io.