The CHOWN capability allows the user to make arbitrary changes to file UIDs and GIDs. According to the Restricted policy documentation for container security contexts, it permits the CHOWN capability, as it's necessary for typical file operations that containers might need to perform. Other capabilities like SYS_CHROOT, SETUID, and NET_BIND_SERVICE are not allowed under a restricted policy due to their potential security risks.