Just a quick update - we looked at this and we think the apparmor support in Debian is sufficient to enable it in snaps by default.
This is being worked on in https://github.com/snapcore/snapd/pull/9936 and once that lands I will upload to Debian. The goal is within this week. In addition to the spread tests we manually validated some key snaps and did not see regressions. With that upload we can close this bug because snaps are confined on Debian. Snaps will see the read only version of the "base" snap (e.g. core or core20) and only what access is granted via snap "interfaces". Cheers, Michael
