So, the two existing files will need to be converted into chroot-breaking tools.
The UML binary is already an executable binary, so it is an obvious choice. It can be rewritten so that it becomes the chroot breakout tool.
This can be prevented by making the binary non-writeable and immutable. Actually, immutable is sufficient, but making it unwriteable avoids confusion about what's intended.
Next is the filesystem. It is not an executable binary, but with sufficient rewriting and a permissions change, it could become one. It is writeable, and this is a requirement, since if it weren't, UML would not be able to change its contents and have to mount it as a read-only filesystem. However, if it is owned by a different uid than the UML uid, then the black hat will not be able to make it executable.