I actually really like how debos handles this - unfortunately when I went down the road of trying to get it working for my setup I couldn't get it to complete the debootstrap process (I admittedly didn't spend too much time trying to get this working - my suspicion was that it had to do with kernel support on my build agent).
I hit the same roadblock with qemu-debootstrap, which is a great wrapper for this use case, but makes (to be fair, reasonable) assumptions about permissions you do and do not have that might not apply in a build agent where you don't have control of the kernel.
Separating the process out into two stages helped with this as I was manually able to perform only the mounts needed to get a minimal filesystem produced.
it's good for a "bootstrap" root filesystem, a starting point that is, but might be difficult to build a full blown distro. With a basic rootfs, you need a virtual machine like qemu or kvm to make a full release.
You still need either an embedded system or a QEMU emulator to finish installing the packages but you can build a complete root filesystem with a simple configuration file.
What bothers me is that this requires a running linux kernel and root to eventually produce a single regular file. Why is this not refactored in such a way that it can be done conveniently from userspace?
I'm currently working on a cross-compilation solution that needed these root filesystems, and knew they would be of use to others.
If it helps with piece of mind, the images are built in the open (the Azure Pipelines YAML file in the repo handles this).
There are a bunch of scenarios in which you may find yourself unable to create these with debootstrap yourself (e.g. restricted permissions, a kernel without binfmt_misc suppport), but are able to use them (using proot to avoid needing admin, or Resin's patched version of QEMU that reworks execve() to operate without binfmt)
[1] https://github.com/go-debos/debos