Known issue if it can be called that. AppArmor for Complete System - Including init, PID1, Systemd, Everything! - Full System MAC policy - #419 by madaidan
But since it got forgotten and confused all of us, a better implementation is desirable.
Best to add any error messages as comment in the source code so it can at least be remembered when grepping the source code.
Was introduced here: Disable sdwdate systemd sandboxing and onion-grater apparmor profile by madaidan · Pull Request #61 · Kicksecure/apparmor-profile-everything · GitHub
→