It appears that environment scrubbing won’t be a solution after all. I think it only applies to profile transitions i.e. transitioning from init-systemd to another profile. So we can’t just enable it globally to get rid of LD_PRELOAD.
The issue with enabling it globally I talked about in the apparmor-profile-everything thread was to do with /lib. If you exclude just that, you can get near-global environment scrubbing. Testing LD_PRELOAD with hardened_malloc and cat /proc/self/maps still worked fine indicating it’s not effective for non-profile transitions.
This is also further backed up by the fact that there is no environment scrubbing available for the ix permission. Only permissions that transition profiles do such as Px or Cx.
We’d need to disable LD_PRELOAD in another way.