Other folders / files that might (lots of random guesses in following list, not too much substance yet) be vulnerable in this threat model:
/etc/init.d(these are reinterpreted as systemd unit files?)/etc/systemd(can hold systemd unit files)/usr/lib/systemd(can hold systemd unit files)/usr/lib/sysusers.d(modifying user accounts might weird stuff)/usr/lib/tmpfiles.d(weird file permissions might open for attack?)/etc/passwd(do something weird to root account?)/etc/initramfs-tools(add malicious hooks to infect initramfs)/etc/default/grub/etc/default/grub.d(grub boot parameters obviously can disable AppArmor)/etc/grub.d
Yes.
Yes.
Also /var/cache/apt and /var/lib/dpkg.
An attacker could also try tricks such as deleting folders and using symlinks. Not thought through yet that would help an attack or already covered.