Do you need the setuid bit at build time or runtime?
At build time it’s definitely restricted but runtime it might be possible to poke a hole in the buildFHS sandbox. In https://github.com/NixOS/nixpkgs/blob/86ed15dcce7de9c9cac5755663b622142a89d76d/pkgs/build-support/build-fhs-userenv/chrootenv/chrootenv.c#L21 , /run/wrappers doesn’t seem to be listed so maybe it’s possible to add it as a bind-mount option.