cgroup_namespaces.7: wfix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man7/cgroup_namespaces.7

@@ -156,10 +156,9 @@ Such leakages could, for example,
 reveal information about the container framework
 to containerized applications.
 .IP *
-It allows easier and more flexible
-confinement of container root tasks, because they can mount
-their own cgroup filesystems without gaining access to ancestor
-cgroup directories.
+It allows better confinement of containererized processes,
+because it is possible to mount the container's cgroup filesystems such that
+the container processes can't gain access to ancestor cgroup directories.
 Consider, for example, the following scenario:
 .RS 4
 .IP \(bu 2