Notes:


Even if UML security is airtight, it is still wise to wrap some security around it on the host.
The obvious thing to do is put it in a chroot jail. UML lends itself well to this. It has minimal requirements for outside files to be present in the chroot.
It is a statically linked binary, so it has no need for shared libraries.
It used to need to read /proc/self/maps, requiring /proc to be mounted in the jail. This is no longer the case and /proc is not needed.
Some /dev nodes might be necessary, depending on how UML is configured at run-time. For example, if its consoles or serial lines are attached to host pty or pts devices, then those device nodes will need to be present in the jail.
However, it is possible to avoid that and avoid having any devices in the jail.
So, a chroot jail for UML would need to contain only two files - the UML binary itself and the filesystem that it boots from.
This needs to be verified - I haven't actually booted UML (or heard from anyone who has) in such an environment.