Any graphical application running under X Windows System (X11) can see what any user is typing in any other application for any user.  For example, if user user running X11 would run lxsudo -u limited-user some-application that application if compromised could sniff anything that user user is writing. Including but not limited to any sudo password prompts.
See the footnote on that page too.
Can apparmor prevent that?
AppArmor prevent access to the the API that xinput is using for global keyboard sniffing?