Tails is using sudo/root to setup the chroot and uses sudo -u clearnet to start the browser. So while the browser runs indeed as non-root, the procedure requires root rights. This is possible through the /etc/sudoers.d/zzz unsafe-browser exception. This however doesn’t grant a path to executing arbitrary code/programs as user root or user clearnet. If you find a way to do that, I guess Tails might consider this a security buy.