Making /usr/sbin/chroot suid is a potential security hole in itself. The BSD manual page explicitly warns against that (perhaps the GNU page as well, but I did not check).

And super user privs are required because that's the underlaying requirement of the chroot(2) call.

As for the system command wanting access to /bin/bash, that's documented behaviour. What do you expect /usr/sbin/chroot /var/www/user1 does? A process that would only change directory, and not actually execute something isn't very useful. So, if you don't give chroot a command to execute, it defaults to starting an interactive shell.