When I bind filesystem root it works
~> bwrap --ro-bind / / -- which which
/usr/bin/which
however when I bind non-root it fails
~> bwrap --ro-bind /usr /usr -- which which
bwrap: execvp which: No such file or directory
even though /usr/bin/which is in /usr.
Why does it fail?
You did not bind the interpreter for that binary – /lib/ld-linux.so.2 or /lib64/ld-linux-x86-64.so.2 or similar. (The kernel itself doesn't actually understand dynamically linked binaries, instead they specify a loader in their ELF header. It works very similar to the #! line for scripts.)
Even on systems with a merged /usr, this file is commonly still in /lib. (And on systems without a merged /usr, lots of other required libraries such as libc.so are in /lib as well.)
