"It is highly recommend to switch to Whonix’s testers repository before installing them, because the profiles in the stable repository are much older and have some issues. Note, that switching to the testers repository would update also other packages from that testers repository unless you know how to avoid this (advanced users only). "
Enable both repositories in apt sources manually. stable and testers.
Then use apt pinning. Configure apt preferences to prefer apparmor-profile-* packages from the testers repository and preferring the stable repository for everything else.
If you’re looking for things to do over here, the apparmor profiles have not been reviewed / updated in quite some time. They tend to only get looked at when something breaks. A while back, I looked at the okular and gwenview profiles and noticed that it was fairly messy aesthetically - overlaps with abstractions, some unanswered questions, etc. They all may have room for tightening if you’re familiar with all those details (which I’m not). Also, we are missing profiles for vlc (which I’m supposed to be working on) and tor-messenger (which seems to have stalled in ioerror’s absence: Sandboxing Instantbird (#10943) · Issues · Legacy / Trac · GitLab). At the same time, none of this is high priority so your talents may be put to better use on more important tasks.
I have been working on an improved Firefox profile since the Debian-supplied one is old and causes FF to freeze on certain pages. Yesterday, I was able to get it working without major glitches and am using it now, so I’ll post it to my github soon.
Restrictedly fine tuned may sound great, but I don’t think that is useful.
Apparmor supposes that the application it is containing has been compromised. So imagine Tor Browser tries to break out to infect the whole system. Even restrictedly fine tuned, the malware can do whatever it wants. Such as persisting across browser restarts.
So if it can write into /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/profile.default/ but not /home/user/.tb/tor-browser/Browser/TorBrowser/Data/Browser/something/ does not give us any advantage. Therefore it can do anything inside /home/user/.tb/tor-browser.
A restrictedly fine tune profile only causes more issues. Such as it breaks during Tor Browser internal updater and in other corner cases. Which causes maintenance overhead. So owner @{TBB}/tor-browser*/** mrlwkix, as is makes it very maintainable and I don’t see reasons to change that.
If you want to fine tune stuff outside of /home/user/.tb/tor-browser, that indeed can make sense.