Sure. I believe that nogroup behaviour is a failsafe. Otherwise every misconfiguration would result in privilege escalation.
Unfortunately I’m not really familiar with that podman setup. I’m not sure if that –group-add keep-groups helps. I’m not sure what kind of groups are defined inside of the container. If the render group is even there and attached to the user that runs the process. Also I’m not sure if it’s the group’s name or number that counts… The numbers can be different from container to container.
Maybe you can peek at the container, see how it’s set up inside? Maybe something like the –device-cgroup-rule helps to give access to the user within the container?