It seems that ip netns exec foo sh calls unshare(CLONE_NEWNS) - giving it a new mount namespace. What are we missing?
ip netns exec foo sh
unshare(CLONE_NEWNS)
