Regarding owner having permission to chown:
- This is because of implicit privileges that TrueNAS assigns that are not consistent with Windows or NFSv4 as intended.
- I opened a bug: TrueNAS - Issues - iXsystems TrueNAS Jira
- There is a feature request to not implicitly grant permissions: Implement zfs aclimplicit to control granting implicit privileges to change file ownership and ACL – please vote for it.
NFSv4 is designed for an enterprise environment with Kerberos. If you run with Kerberos your users will get mapped the way you expect them to and permissions will work correctly (except the implicitly assigned privileges to owners as above).
If you are running this at home / in a lab and do not have Kerberos I wrote a guide for how to setup Kerberos in TrueNAS in a container. It is easy to do with TrueNAS and Linux or Mac clients. GitHub - evan314159/truenas-home-kerberos: How To Setup Kerberos for a Home TrueNAS Environment.
Note that I am not saying that sec=sys cannot work, but it is not a good approach, IMHO, and I wasted a lot of time doing it wrong (with sec=sys) when doing it right (with Kerberos) is so easy.