you shouldn’t blindly let programs have access to tmp. They can get access to sockets and stuff. If you’re running with systemd there’s a private tmp option for this reason. - HN / the-many-perils-of-tmp

see also

• Proot / HN - a user-space implementation of chroot, mount –bind, and binfmt_misc.
• The chroot Technique - a Swiss army multitool for Linux systems / HN - you can access the hard drive of a broken or non-bootable Linux machine (this could be done e.g. by booting from a Live USB-stick, or plugging in the hard-drive as an extra drive in another Linux machine), you will mount this hard drive in a way that you trick your current Linux session that this is the harddrive of the currently running system, which it is not of course.
  • With qemu-user and binfmt you can even chroot into foreign CPU architectures, which is a handy thing to have when you mount your phone’s eMMC to fix a hacking session gone wrong. Though these days you may want to look into things like systemd-nspawn instead of plain chroot.